Can GCHQ order techies to work as govt snoops? Experts fear: 'Yes'
UK Home Office's response to concerns are a riddle wrapped in an enigma
Analysis The UK Home Office's ambiguous response to whether or not the Investigatory Powers Act gives the British government the authority to pressure or force people to work for GCHQ is troubling.
The law was ambiguously worded enough so that not even experts could discern whether or not the compulsion to assist in surveillance operations applied only to telecoms firms or whether it meant security experts could be press-ganged into assisting the UK's law enforcement and intel agencies.
Clubley decided to ask the Home Office for clarification directly, an inquiry that sparked a curious response – a key extract is below:
Section 190 of the IPA allows equipment interference authorities to require the assistance of any person in giving effect to a bulk equipment interference warrant (section 126 of the Act provides for this in the context of targeted equipment interference warrants). A warrant can only be served on a person whom the equipment interference authority considers may be capable of providing the assistance required by the warrant. In some circumstances equipment interference agencies and other persons will work co-operatively together, without the need to serve a warrant.
While a warrant can be served on any person, the duty to comply [our italics] with providing assistance in relation to a targeted or bulk equipment interference warrant, is only enforceable against a telecommunications operator, as set out in section 128 of the IPA.
A telecommunications operator who has been served with a warrant must take all steps for giving effect to a warrant which are notified to them. A telecommunications operator will not be required to take steps which are not reasonably practicable to take.
Allegedly, there are safeguards against misuse:
Bulk equipment interference warrants will be subject to a "double-lock" system whereby a Secretary of State and a Judicial Commissioner must be satisfied that the warrant is necessary and proportionate before it may be issued.
Any individual who thinks that surveillance powers have been used against them unlawfully can apply to the Investigatory Powers Tribunal to review their case.
Clubley told El Reg: "The Home Office are saying that, yes, literally anyone can be served with a warrant but they are also saying that only telecommunications companies can be compelled to assist.
"The disconnect between those two statements doesn't seem to make sense. After all, why give yourself the power to do something if you cannot then enforce it?"
He added: "The only conclusion I have been able to reach is that the government knew it would never get a law passed which compelled everyone to cooperate with GCHQ, so they are instead relying on the actual act of serving a warrant to intimidate people into cooperating."
The Home Office statement indicates that, under paragraph (3)(f) of section 132 of the IPA, anyone served with a warrant – even if they are under no obligation to assist the government – is liable to prosecution simply by revealing they had been served with a warrant, said Clubley.
"This leaves the government free to shop around, serving warrants on multiple experts, until they find one they can intimidate into working with them," according to Clubley. "For myself, if I received such a warrant, I would simply tell the government to get lost, but I can imagine for some people, actually receiving such a warrant, along with threats about what would happen if they revealed its existence, would be enough to scare them into cooperating with the government," he added.
Prof Alan Woodward, a computer scientist at the University of Surrey in the UK, agreed that the Home Office letter was "ambiguous."
You've been served
"It seems to suggest that a warrant to assist can be served on anyone, not just the telecoms operators as some had suggested," said the professor. "But the letter further suggests, and I am just an engineer and not a lawyer, that only the telecoms providers would be obliged to cooperate."
After re-reading section 126, 127, 128 and 190 of the law again and, in conjunction with the Home Office letter, Prof Woodward came to the conclusion that "anyone, for example a researcher, could be served with a warrant to assist in equipment interference."
"I must confess if this did happen to me, with a court issued warrant, I'd feel obliged to cooperate. I'm not sure I'd want to see what would happen if I refused to assist them in executing the warrant," the professor concluded.
My concern is rather that some CSPs will be more helpful than the legislation justifies
Peter Sommer, professor of digital forensics at Birmingham City University, and a specialist advisor to a parliamentary committee that scrutinized the surveillance law, said the process of considering the legislation was flawed.
"There are in fact rather a lot of ambiguities in the IPA legislation," Sommer told El Reg. "Although it was examined by quite a number of committees as well as on the floors of the Commons and Lords, none of them really gave themselves sufficient time to examine the wording with the detail required."
The sheer difficulties of turning policy into unambiguous words or appreciating how words might in future be interpreted should not be underestimated, he explained. Even though clarifications were obtained and rewordings made, the final law was imperfect, and the bulk interception provisions clauses are not the only resulting difficulties.
A key detail is whether or not one of these warrants can force someone, let alone a telco, to aid the government against their will: can it be safely ignored, can it be used to pressure people to comply because it's too much cost and effort to successfully resist, or must it be obeyed without question?
"My understanding is that a warrant cannot exist in the absence of a power for it to be issued," Sommer said. Second, the Single Intelligence Account and GCHQ in particular would be very unwise to expect to get productive enforced cooperation. Far better to produce good reasons to motivate people to help.
"Paradoxically, my concern is rather that some communication service providers will be more helpful than the legislation justifies. After all, some telcos plainly gave assistance for intercepts under the old section 94 of the Telecommunications Act 1984 – a feature later rectified under IPA."
Steven Murdoch, a security researcher at the University College London and authentication vendor VASCO, argued it would be up to the courts to adjudicate on the legislation and decide how it applies in practice.
"The Home Office opinion as to what the act says isn’t binding, nor are the explanatory notes that accompany it," he said. "The law says what the law says, and interpretation is up to the courts – who may chose to take into account other information like statements in Parliament, but may not."
What's the rush?
Murdoch agreed with Sommer that some of these ambiguities are the result of the speed at which the act went from draft to law, adding that "it would have been better if there were more time for scrutiny where these issues could have been ironed out."
"Most importantly, I would be more confident that over-broad interpretations of the law could be prevented if there is more transparency in the exercise of powers," he concluded.
Prof Woodward added: "I find the Home Office letter interesting as it perhaps indicates what they intended, even if the courts interpret it differently when it is tested by the judiciary."
After reflecting on the subject, Prof Woodward said he believed that it was likely that warrants would to be served on telcos before being passed on to researchers.
"It would be the telco [who had received the warrant] who would pass on the warrant to an individual that they felt was required/could assist in the telco executing the warrant," Woodward speculated. "So the telco would have to consider that an individual (other than, say, one of their own employees) had some special capability necessary to give effect to the warrant. The practicalities of that relationship would seem to be fraught with difficulty."
But why even bother going to anyone but an actual comms provider?
Sommer responded: "I strongly suspect that the SIAs will want to approach the matter co-operatively. GCHQ and the Home Office already have developed relationships with most of the CSPs that they are likely to need help from; indeed you can see that many of them already have ex-GCHQ staff.
"This leads me to observe that the main role of section 190 is to protect the CSP which is willing to help but also needs cover against legal action from the customers whose equipment is being penetrated - 'sorry, we were compelled'."
Graham Smith, an IT and internet lawyer at Bird&Bird, explained that the new law repeats a formulation found in earlier UK surveillance laws that imposes duties to assist only on telecoms operators:
As the Home Office letter says, a warrant "can only be served on a person whom the equipment interference authority considers may be capable of providing the assistance required by the warrant" See e.g. S. 126(2)(a), 190(2)(a). When they say 'any person' in the next para, they must mean subject to that qualification.
The HO [Home Office] is correct that only a telecommunications operator can be compelled to assist: S.128(1)/(2) impose the specific duty to take steps notified to the operator. S.128(5) sets out the "reasonably practicable" exception. S128(7) sets out the enforceability of the duty imposed by S.128(1)/(2). S.190(5) applies these provisions to bulk warrants.
This does leave a question as to why, when no enforceable duty to assist applies to anyone other than a telecoms operator, the Act uses the word 'require' in S.126(1) and 190(1) (and indeed in the equivalent provisions elsewhere in the Act). For what it's worth, that repeats the formula used in S.11(2) of the existing RIPA legislation for interception warrants, which has been in place since 2000.
The Investigatory Powers Act can be found online in full, here.
The IPA's definition of a "telecommunications operator" is widely scoped so that many organisations are covered by this definition. "Bulk equipment interference" is not just about some specialist bits of switching equipment located in a building somewhere, Clubley argued.
Do you run a boutique ISP?
Section 261 of the Act defines that a "telecommunications operator" is anyone who provides or controls a communications network of any kind. Paragraph 10 of section 261 talks about how you are also considered to be a telecommunications operator even if you only merely "control" the telecommunications system in question; actual ownership does not appear to be required. That would appear to obligate some third-party maintenance vendors to assist with a Bulk Equipment Interference warrant issued against equipment owned by their customers.
Both private and public telecommunications operators are covered by the bulk equipment interference warrants. ®