Facebook, Google, Microsoft, Twitter and Yahoo Balk At UK's Investigatory Powers

Mark Wilson writes: The Investigatory Powers Bill may only be in draft form at the moment, but the UK government has already received criticism for its plans. Today, scores of pieces of written evidence, both for and against the proposals, have been published, including input from the Reform Government Surveillance (RGS) coalition. Five key members of the coalition are Facebook, Google, Microsoft, Twitter and Yahoo. In their written evidence, the quintet of tech companies express their concerns about the draft bill, seek clarification from the UK government, and issue warnings about the implications of such a bill. The evidence (document IPB0116) says that any surveillance undertaken by the government need to be 'targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent'. The coalition notes that many other countries are watching to see what the UK does.

stupid uk gov vs big bad corps. which is worse?

[sittingnut]

the curious thing about uk bill is that is is explicit in its intrusive powers. western govs, in past and at present, have been getting these same companies to do what they want without such explicit powers.
they makes a fuss only when all these are publicly exposed. but are quite corporative privately.

Re:stupid uk gov vs big bad corps. which is worse?

[AmiMoJo]

The problem with the UK system of government is that once a party gets a majority they can pretty much do what they like, and so there isn't really much to stop them just grabbing whatever powers and data they want now. Plus, it is likely that they are using the usual tactic of asking for extreme powers and then "compromising" on the only slightly milder powers they really wanted. Hay, look, they are listening to our concerns!

The written submissions are interesting reading. For example, Trading Standards wants access to enforce trade marks. They want the ability to sift through your metadata to enforce commercial trademarks. This is just to start with, we haven't even had the mission creep yet, and they want to use this hugely invasive tool that other oppressive regimes can only dream about for the relatively mundane purpose of enforcing commercial trade marks. Not paedophiles, not terrorists, companies using branding without permission.

Then they ask if it is really necessary to have judicial review of Trading Standard's requests, because hay they can monitor themselves for abuse and save a bit of time and money. Oh, and anyone who doesn't cooperate should go to jail, because this is Trading Standards, those trade marks are life or death!

It gets worse from there. The Police Chief's council is concerned that hacking will be limited to serious cases only. Even ignoring the flimsy justification, it's a really, really stupid idea because the more police malware is used the easier it will become to get samples, detect and block it. I somehow doubt that foreign anti-virus companies are going to add exceptions for the UK police to target the phones of people posting revenge porn.

Naturally they are worried that the retention term might be reduced from 12 months too, because they prefer to record things forever, e.g. their vast DNA database.

The CPS claims that evidence acquired by hacking will be usable in prosecutions. This is rather worrying. Once a device or computer has been hacked it will be extremely easy to plant evidence on it. The accused will find themselves in the position of having to pay for independent experts to give evidence that the prosecution could have planted incriminating files or metadata, or just written their own log files. They must be planning ways to get around people claiming that they were framed when hacked evidence is used, which is extremely alarming.

The Local Government Association simply lies in their submission. They point out that under existing legislation only 19 out of 6000 data access requests were rejected by courts, but of course don't mention that many of those granted were later found out to be abuses or unwanted mission creep.

Basically government agencies are rubbing their hands with glee at the thought of being able to pry into people's lives, while everyone else is extremely alarmed and vowing to resist.

Re:stupid uk gov vs big bad corps. which is worse?

[IamTheRealMike]

Were quite cooperative. Not any more.

Years ago, companies like Facebook and Google had fairly cordial relationships with police departments around the western world. If a government came and said we need access to account X because we think it's engaged in child porn or terrorism, the companies asked them to fill out the right paperwork and then got on it. Sometimes they'd even tip governments off, if they spotted someone doing stuff that was clearly criminal. It wasn't really an adversarial relationship. There was an assumption of good faith on both sides. The UK was especially dependent on this kind of relationship because it has comparatively little influence over these companies, none of whom have major engineering centers or fixed assets there (the London development offices of Google and Facebook only got reasonably big very recently indeed and neither are critical to the firms).

That all changed post Snowden. You can read about this change in UK newspapers. Post Snowden these companies stopped assuming good faith and started doing everything they could to slow things down, because they were understandably upset that governments had been secretly hacking their systems and intercepting their fibre connections. Google in particular encrypted all the inter-datacenter traffic that GCHQ had been intercepting, which made the intelligence agencies dramatically less useful, as so much of the data they wanted was hosted there. Whereas previously these firms might have not worried too much if the i's and t's weren't dotted and crossed, now they insisted on it as a matter of principle. They started challenging everything automatically. Most seriously of all they started saying "the data for this account is under the control of our US subsidiary so you need to get an MLAT to access it". An MLAT is a Mutual Legal Assistance Treaty and is a process for one country to formally request legal help from another. The MLAT process is extremely slow and bureaucratic so Silicon Valley's newfound insistence that it always be used effectively put a halt to most of the snooping that the UK had been doing.

So now the UK wants their old powers back. What they REALLY want, of course, is for Google/Facebook/Yahoo/Apple to decrypt their wires and devices so GCHQ can go back to snaffling all of it. They know they probably can't get that though, but an automatic "we say jump, you say how high" process with no safeguards and no mutual legal assistance treaties is the next best thing.

The risk here, for the UK, is that the UK needs Silicon Valley more than SV needs the UK. It'd be very easy for Google, Facebook, Twitter etc to simply shut down their offices in London and offer the engineers a relocation package. The sales staff can be rehired elsewhere. They'd rather not do this as it'd be disruptive, but nothing in their business requires a presence in London. It's not like most companies where they have factories and other immovable assets. Google can sell services into the UK from Ireland just fine and did so for years. If the UK pushes these companies too hard there's a risk they'll simply leave. UK isn't going to block these websites. It's clear from comments by Tim Cook especially that this isn't some abstract business decision for these firms, the CEOs see it as a moral issue. Now the Twitter CEO went back to being Dorsey it's possible he'll see things the same way too. Not sure about Facebook but the cultures are fairly similar.