Sergey Nivens - Fotolia

Researcher uncovers UK government threat to privacy

Despite concerns about the draft Investigatory Powers Bill, a legal researcher has highlighted that existing legislation is a much bigger threat to privacy than most UK citizens realise

UK citizens are concerned about the government being able to extend its powers to break encryption and encroach on privacy, a survey by security firm Venafi shows.

But people are woefully ill-informed about existing law enforcement powers that enable just that, a legal researcher has revealed.

Nearly two-thirds of more than 2,000 UK citizens polled do not trust the government to look after their data, 69% suspect that the UK government abuses its power to access data on citizens, and 76% are concerned that the draft Investigatory Powers Bill (IPB) will increase government powers to gain access to the contents of their emails, texts and other communications.

Some 70% believe that if given increased powers to access data such as those proposed under the IPB, the government will abuse those powers, and the same percentage are against the government being allowed to force technology companies to put their customers’ data at risk by creating encryption ‘back doors’.

Kevin Bocek, vice-president of security strategy for Venafi, said every business is now essentially a software company, whether a bank, retailer, insurer or manufacturer, and could find itself in the crosshairs of government without recourse, especially in the UK.

“This isn’t just a question of whether we trust government to behave responsibly and not abuse its power to hijack the internet and privacy, it is also a question of competence,” said Bocek.

“Just like we saw with Stuxnet, governments breaching the privacy of businesses to create cyber weapons produces powerful blueprints for cyber criminals to follow the lead.”

Despite this bleak picture for privacy, most citizens still believe they are better off in the UK than in the US, with 69% of UK citizens believing the US government has greater powers than the UK government in accessing their private and protected information.

Opposite is true

But a white paper commissioned by Venafi and written by legal researcher Brian Bandey says the opposite is true. In fact, he claims that if UK law enforcement instead of the FBI had taken action against Apple, just like it could with any UK business, Apple could have been forced to turn over its keys without the prior approval of a judge and Apple chief executive Tim Cook could have been locked up in jail if he had not complied.

According to the research, under section 49 of the Regulation of Investigative Powers Act 2000 (Ripa), the UK government can force individuals – whether they are a suspected criminal or the CEO of a company that holds data – to provide access to said data without making an application to a judge.

Individuals or company officers served with s.49 notices can also be isolated, the white paper points out. If the s.49 notice contains a s.53 prohibition, the individual cannot communicate with anyone except their solicitor – not their family or, in the case of a CEO, not even their fellow board members. According to Bandey, they certainly cannot make a public statement, as Cook did in the Apple/FBI case.

Under the provisions of Ripa, individuals can be subject to criminal proceedings and face up to three years in prison for non-compliance if they refuse to hand over their encryption keys or digital certificates. In some cases, they may even be forced to create software that undermines their own security, which is commonly known as a back door.

Never heard of Ripa

However, according to Venafi’s survey, four out of five UK citizens have never heard of Ripa or the powers it gives the government. When looking at the terms, 71% of UK citizens think it is unfair that (under Ripa) the government can force citizens or businesses to hand over personal information without having been charged or convicted of any crime.

A further 78% also think it is wrong that private companies can be compelled to give out data on their customers without the customer’s knowledge or consent.

“Ripa has huge implications for UK businesses and the multinationals that operate in the country, particularly individuals in more senior positions within those organisations,” said Bocek. “There is no option to hide behind the corporate veil because it is the individual who is charged, not the company, and the individual who needs to make the difficult choice between protecting customer data or their personal freedom.

“Most UK citizens have no idea these powers even exist. This is a worrying state of affairs. Our freedoms and rights are slowly being eroded. Government is gaining powers to hijack the internet.”

Younger people more trusting

The survey also shows the younger generation is more trusting when it comes to the government, with 44% of 16 to 24-year-olds and 41% of 25 to 34-year-olds trusting the government, compared with just 28% of 45-54 and 31% of 55 to 64-year-olds.

The younger generation is also less likely to believe that the government would abuse its power to access data on citizens, with 63% of 16 to 24-year-olds believing it would abuse such powers, compared with 76% of 45 to 54-year-olds.

The younger generation also had more awareness of the Ripa legislation, with 26% of 16 to 24-year-olds saying they had heard of it, compared with only 15% of 45 to 54-year-olds and 17% of 55 to 64-year-olds.

They were also less likely to object to government forcing citizens to hand over their personal data, with 34% saying it is fair for governments to access their private data, compared with 25% of 45 to 54-year-olds and 28% of 55 to 64-year-olds. The research report said this indicates a greater level of compliance among young people, perhaps because they have grown up in the data age.

Read more about the draft Investigatory Powers Bill

In the light of the white paper, Venafi said every UK business could find itself in the same situation as Apple did with the FBI – forced to turn over its keys and certificates to break encryption and enable malicious software. In the UK, Apple’s Cook, or any other UK business executive, could go to jail if they refused to hand over the keys if they could. A court could send them to jail even if they gave up the key later – because they had not complied with the s.49 notice.

According to Venafi, there is a global trend of governments trying to use mostly unknown powers to break the encryption that has been at the foundation of the internet for over 30 years. As a result, businesses must now move to identify and protect keys and certificates that secure privacy and authentication for their customers and business. 

Increasing hunger

“Businesses need to be aware of their fiscal duties and prepare for the government’s increasing hunger to gain access to your cryptographic keys and certificates,” said Bocek.

“Organisations need to know and abide by the law, and keep pace as more key disclosure laws and rulings are introduced in the future. This means IT security teams must find out where all keys and certificates live, establish ownership, protect their ongoing lifecycle, and monitor any changes.”

Bandey concludes his white paper by saying UK companies should not imagine that the action of Ripa is confined to technology companies.

“It is of universal relevance and applicable to any enterprise making or using encryption technologies, keys or certificates,” he wrote. “It is this one important, indeed singular area for all enterprises where the ‘corporate veil’ simply does not exist. Corporate officers and managers are exposed directly to the criminal law provisions of Ripa.”

Read more on Privacy and data protection