Facebook, Google, Microsoft, Twitter and Yahoo Balk At UK's Investigatory Powers

Mark Wilson writes: The Investigatory Powers Bill may only be in draft form at the moment, but the UK government has already received criticism for its plans. Today, scores of pieces of written evidence, both for and against the proposals, have been published, including input from the Reform Government Surveillance (RGS) coalition. Five key members of the coalition are Facebook, Google, Microsoft, Twitter and Yahoo. In their written evidence, the quintet of tech companies express their concerns about the draft bill, seek clarification from the UK government, and issue warnings about the implications of such a bill. The evidence (document IPB0116) says that any surveillance undertaken by the government need to be 'targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent'. The coalition notes that many other countries are watching to see what the UK does.

stupid uk gov vs big bad corps. which is worse?

[sittingnut]

the curious thing about uk bill is that is is explicit in its intrusive powers. western govs, in past and at present, have been getting these same companies to do what they want without such explicit powers.
they makes a fuss only when all these are publicly exposed. but are quite corporative privately.

Re:stupid uk gov vs big bad corps. which is worse?

[Opportunist]

My guess is that the bill would let the UK demand user data, which is what the five would rather want to sell than to give out for free.

Re:stupid uk gov vs big bad corps. which is worse?

[AmiMoJo]

The problem with the UK system of government is that once a party gets a majority they can pretty much do what they like, and so there isn't really much to stop them just grabbing whatever powers and data they want now. Plus, it is likely that they are using the usual tactic of asking for extreme powers and then "compromising" on the only slightly milder powers they really wanted. Hay, look, they are listening to our concerns!

The written submissions are interesting reading. For example, Trading Standards wants access to enforce trade marks. They want the ability to sift through your metadata to enforce commercial trademarks. This is just to start with, we haven't even had the mission creep yet, and they want to use this hugely invasive tool that other oppressive regimes can only dream about for the relatively mundane purpose of enforcing commercial trade marks. Not paedophiles, not terrorists, companies using branding without permission.

Then they ask if it is really necessary to have judicial review of Trading Standard's requests, because hay they can monitor themselves for abuse and save a bit of time and money. Oh, and anyone who doesn't cooperate should go to jail, because this is Trading Standards, those trade marks are life or death!

It gets worse from there. The Police Chief's council is concerned that hacking will be limited to serious cases only. Even ignoring the flimsy justification, it's a really, really stupid idea because the more police malware is used the easier it will become to get samples, detect and block it. I somehow doubt that foreign anti-virus companies are going to add exceptions for the UK police to target the phones of people posting revenge porn.

Naturally they are worried that the retention term might be reduced from 12 months too, because they prefer to record things forever, e.g. their vast DNA database.

The CPS claims that evidence acquired by hacking will be usable in prosecutions. This is rather worrying. Once a device or computer has been hacked it will be extremely easy to plant evidence on it. The accused will find themselves in the position of having to pay for independent experts to give evidence that the prosecution could have planted incriminating files or metadata, or just written their own log files. They must be planning ways to get around people claiming that they were framed when hacked evidence is used, which is extremely alarming.

The Local Government Association simply lies in their submission. They point out that under existing legislation only 19 out of 6000 data access requests were rejected by courts, but of course don't mention that many of those granted were later found out to be abuses or unwanted mission creep.

Basically government agencies are rubbing their hands with glee at the thought of being able to pry into people's lives, while everyone else is extremely alarmed and vowing to resist.

Re:stupid uk gov vs big bad corps. which is worse?

[IamTheRealMike]

Were quite cooperative. Not any more.

Years ago, companies like Facebook and Google had fairly cordial relationships with police departments around the western world. If a government came and said we need access to account X because we think it's engaged in child porn or terrorism, the companies asked them to fill out the right paperwork and then got on it. Sometimes they'd even tip governments off, if they spotted someone doing stuff that was clearly criminal. It wasn't really an adversarial relationship. There was an assumption of good faith on both sides. The UK was especially dependent on this kind of relationship because it has comparatively little influence over these companies, none of whom have major engineering centers or fixed assets there (the London development offices of Google and Facebook only got reasonably big very recently indeed and neither are critical to the firms).

That all changed post Snowden. You can read about this change in UK newspapers. Post Snowden these companies stopped assuming good faith and started doing everything they could to slow things down, because they were understandably upset that governments had been secretly hacking their systems and intercepting their fibre connections. Google in particular encrypted all the inter-datacenter traffic that GCHQ had been intercepting, which made the intelligence agencies dramatically less useful, as so much of the data they wanted was hosted there. Whereas previously these firms might have not worried too much if the i's and t's weren't dotted and crossed, now they insisted on it as a matter of principle. They started challenging everything automatically. Most seriously of all they started saying "the data for this account is under the control of our US subsidiary so you need to get an MLAT to access it". An MLAT is a Mutual Legal Assistance Treaty and is a process for one country to formally request legal help from another. The MLAT process is extremely slow and bureaucratic so Silicon Valley's newfound insistence that it always be used effectively put a halt to most of the snooping that the UK had been doing.

So now the UK wants their old powers back. What they REALLY want, of course, is for Google/Facebook/Yahoo/Apple to decrypt their wires and devices so GCHQ can go back to snaffling all of it. They know they probably can't get that though, but an automatic "we say jump, you say how high" process with no safeguards and no mutual legal assistance treaties is the next best thing.

The risk here, for the UK, is that the UK needs Silicon Valley more than SV needs the UK. It'd be very easy for Google, Facebook, Twitter etc to simply shut down their offices in London and offer the engineers a relocation package. The sales staff can be rehired elsewhere. They'd rather not do this as it'd be disruptive, but nothing in their business requires a presence in London. It's not like most companies where they have factories and other immovable assets. Google can sell services into the UK from Ireland just fine and did so for years. If the UK pushes these companies too hard there's a risk they'll simply leave. UK isn't going to block these websites. It's clear from comments by Tim Cook especially that this isn't some abstract business decision for these firms, the CEOs see it as a moral issue. Now the Twitter CEO went back to being Dorsey it's possible he'll see things the same way too. Not sure about Facebook but the cultures are fairly similar.

Balance of power

[spiritplumber]

At this point if the UK government annoyed Facebook+Google+Twitter+Microsoft+Yahoo into withdrawing their services from the country, it would damage the government more than it would damage those companies -- the government would blink first.

Re:Balance of power

[greenfruitsalad]

UK is a BIG english-speaking market, where people buy more goods online than in any other country in the world ( http://www.telegraph.co.uk/new... ). right now, these companies are just trying to save faces before they start applying lubricant to all orifices. by the time UK government says "bend over", they'll be waiting in line with pants around their ankles.

Re:Balance of power

[Required+Snark]

So now the UK and People's Republic of China are on the same page when it comes to surveillance. They both want 24/7 access to all information on anyone or any organization. It makes you wonder how similar they are on other aspects of power and control.

Of course, here in the US it's actually worse. They go to great lengths to spy on everyone and they don't bother with pesky issues like the constitution or the rule of law. They just do what they want to do and get all the money they need to do it without any debate or oversight. And they lie their teeth out over what they do. I bet the PRC is jealous.

Here, let me fix that last quote

[93+Escort+Wagon]

"... many other countries are watching to see what the UK can get away with."

Hate the uk

[liqu1d]

Although I'm born and bred here I cannot stand the utter lunacy display by the governments. They seem complete Luddites. Any criminals caught by such sweeping powers will be nothing more than token victories. This will do absolutely nothing to touch the ones whom we should worry about. They're supposed to be our leaders not our oppressors.

End-To-End Encrytion is the Issue

[jaa101]

The big issue with the law is that it seems to be banning end-to-end encryption. Right now, when the FBI comes to Apple and says "give us this person's iMessages in clear text" Apple can just respond "we made it so that we have no way to comply". Apple likes it that way, mostly because customers hate being spied on so it's a selling point. The UK is ramping up to say "make it so you can comply in future or else big fines and gaol". And it's going to be hard for Apple to do this just for the UK. You can bet the UK is going to be of the view that they need to be able to see the comms of foreign citizens on UK soil, and of UK citizens overseas. It's just like how California car emission laws have consequences for the whole of the US. In this case a UK law could outlaw strong encryption for ordinary consumers in the whole developed world.

Why did UK politicians even comment?

[AHuxley]

The UK gov and mil has had total control over all communications systems since 1914.
From the Defence of the Realm Act 1914 https://en.wikipedia.org/wiki/... to every phone line domestically and in and out of Ireland to all calls on Intelsat via CSO Morwenstow/GCHQ Bude.
The ability to collect all and then use parallel construction over the decades was never really fully worked out by the press, lawyers, human rights campaigners, tech experts or academics.

All MI5/6 and the GCHQ had to do in closed courts was to ensure a protected "witness" could be presented to confirm what "collect it all" had originally found.
Legal experts would assume someone had been turned and offer immunity or a deal. Few in public really understood the collaboration between the US, UK tech sectors, academics and the UK gov over decades.
All the UK political experts should have said was that VPN, US consumer grade cryptography, onion routing was a complex issue that the government was spending money on trying to understand over time.

Generations of interesting people would have continued to be fooled into using fully tracked VPN services, gov malware ready cell phones, tracked telecommunications products, junk consumer grade encryption, IP reporting onion routing applications. All networking would have been under full UK gov observation with only hints that sock puppets could have been used to counter.

Projects like Tempora https://en.wikipedia.org/wiki/... would have given the UK the world if UK politics would have just been more vague about global collection.
Why did the UK intelligence services even allow UK political talking points to the formulated and talked about on topics like trapdoors, backdoors, new gov keys to all UK encryption?
Academics and software developers to help to trapdoor crypto by design and sharing of extra keys with the UK gov?

Now everyone knows "Designed in the UK" is code for the UK gov and mil listening in by default over all generations of UK products and brands.
Local manufacture is now synonymous with hardware tracking and default backdoors out of the box.
If only decades of clever policy surrounding crypto ambiguity had been allowed to continue.