Sergey Nivens - Fotolia

Lib Dems decry surveillance plans exposed in leaked documents

After the election, the UK government plans to introduce extreme mass surveillance capabilities, according to documents leaked to the Open Rights Group

The government will require telecommunications operators to provide real-time access to named individuals’ data through proposed regulations on technical capabilities notices (TCNs) under the controversial Investigatory Powers Act.

In terms of the IPAct, TCNs can be used to order companies with over 10,000 UK users to adapt their technology to enable intercept and metadata collection.

The obligations which may be contained in a TCN issued under the act are detailed in a consultation document sent to telecommunications providers, but not published on the website. The consultation process is outlined at Section 253 of the IP Act 2016. 

“This is a ‘targeted consultation’ – and has not been publicised to the tech industry or public,” reads the leaked document published by the Open Rights Group.

The proposed regulations require telcos to ensure they have the technical capabilities to provide assistance in relation to interception warrants, equipment interference warrants, or warrants or authorisations for the obtaining of communications data.

This includes an obligation to “provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection.”

This obligation appears to require telecos to ensure they can provide access to encrypted information.

Other proposed obligations include having the ability to provide access to “secondary information” about any individual named in a warrant, as well as access to primary data and account content and having the ability to simultaneously intercept or obtain secondary data from communications relating to up to 1 in 10,000 customers.

Read more about the IP Act

In short, the regulations seek to give government the authority to monitor anyone in the UK in real time and to make it illegal to apply encryption systems that do not have some form of back door access.

The regulations state that companies could be forced to ‘modify’ their products in order to comply with government demands, the Open Rights Group points out, adding that the powers would also limit the ability of companies to develop stronger security and encryption.

Although TCNs may be challenged on technical grounds and must be approved by Judicial Commissioners, the Open Rights Group said the criteria for making a sound judgement of risk to all parties are not set out in the Act or the draft regulations, and there is there a clear route of appeal.

Liberal Democrat president Sal Brinton described the proposed regulations as “a full-frontal assault” on civil liberties and people’s privacy.

“This lays bare the extreme mass surveillance this Conservative government is planning after the election.

“The security services need to be able to keep people safe. But these disproportionate powers are straight out of an Orwellian nightmare and have no place in a democratic society,” she said.

Open Rights Group executive director Jim Killock said the proposed powers could be directed at companies like WhatsApp to limit their encryption.

“The regulations would make the demands that [home secretary] Amber Rudd made to attack end-to-end encryption a reality. But if the powers are exercised, this will be done in secret.

“The public has a right to know about government powers that could put their privacy and security at risk. There needs to be transparency about how such measures are judged to be reasonable, the risks that are imposed on users and companies, and how companies can challenge government demands that are unreasonable.

“Businesses and the public need to know they aren’t being put at risk. Sometimes, surveillance capabilities may be justified and safe: but at other times, they might put many more people – who are not suspected of any crime – at risk.

“Selective, secret consultations have no place in open Government,” he said.

Consulting the Technical Advisory Board

According to the leaked document, the proposed regulations on technical obligations were drawn up in consultation with the UK’s Technical Advisory Board, which is made up of representatives from O2, BT, BSkyB, Cable and Wireless, Vodafone, Virgin Media, and representatives of “intercepting agencies”.

The fact that the Home Office has moved on to its “targeted consutation” implies the regulations have been accepted by the majority of telcos that were included in the closed consultation.

The regulations will have to be approved by both houses of parliament before they become law, but there is no indication there will be any public consultation.

The “targeted consultation,” which is set to end on 19 May 2017, calls for response to be sent to [email protected].

Ensuring there is no disruption in data flows

The government has indicated it intends to ensure UK data protection laws are consistent with the EU’s General Data Protection Regulation (GDPR) at the point of Brexit to ensure there is no disruption to data flows between the UK and EU member countries.

However, UK information commissioner Elizabeth Denham and others giving testimony in House of Lords EU Home Affairs Sub-Committee hearings on the new EU data protection package have said the government should be aware any inconsistencies between provisions under the Investigatory Powers Act and EU law could be a stumbling block.

Read more on Privacy and data protection