Investigatory Powers Bill

Written evidence submitted by Jaron Shulver (IPB 05)

1. Investigatory powers bill

I am a software developer and hold a degree in computer science from Queen Mary, University of London. I work in the City of London and travel at rush hour every working day. I frequently travel using the tube and find myself in crowded areas so I can appreciate the threat of a terror attack. While I appreciate the need to gather intelligence to deliver national security, I feel that this bill is more likely to infringe on innocent people's privacy and even compromise their security than make a useful impact on terrorism. This focuses primarily on the practical aspects of delivering the retention of data with regards to encryption and that you cannot retain data any more securely than a criminal organisation could communicate leading to the conclusion that this is more likely to harm than improve security.

2. I must take issue, given the extensive powers that this bill grants, given that the secretary of state can grant interception, targeted examination and mutual assistance warrants if "the secretary of state considers that there is an urgent need to issue the warrant." The following points should be clarified:

1. The nature of an "urgent need"

2. As the secretary of state can delegate these powers to a "senior official" - the limitations of this should be made clear.

3. The retention of data

Given that a retention notice may "require the retention of all data," particularly with bulk datasets - this may include highly sensitive personal information including passwords, bank account details and more generally personal information. Naturally the leaking of this data can lead to fraud and theft of money leading to personal crises for the victims of such an issue. Of potentially great wider-scale importance, sensitive organisational information of public or private companies may also end up being retained – the abuse of which could lead to severe economic damage or even be used for an even more wide reaching terrorist incidents than would otherwise be possible. While there are some basic provisions requiring securely held data, the practicality of this is in question as some communications systems may not regularly store data and appropriate security practices for the storage of data (which do not necessarily apply for the transmission of data). There is a rich history of sensitive data leaks from insecure systems even from technology giants who are supposed to be established experts in their field [1] . In general, even with the appropriate organisational protections, simply the presence of information persisting like this for longer than it needs to increases the probability of it being obtained by an unauthorised third party.

4. Consider the use of encryption – it is highly likely, particularly given that they most likely will know about this bill, that any terrorist conspirators would communicate using an encrypted messaging protocol (with public key cryptography, keys can be securely exchanged even over a visible, unsecured network – you cannot decrypt that information without their private key which is never transmitted. I could run an expensive, wide reaching advertising campaign to let people know my public key but you'll never be able to decrypt the information I'm sending using it) so any intercepted and retained information would be encrypted in that manner. Therefore if this data was then presented to a security agent there are two possibilities: either the information cannot be decrypted or that the information can be decrypted somehow leading to some helpful outcome to the security service – assuming this is the case, then it is also the case that a properly motivated third party who had stolen that data from a company who had been served a retention notice could also decrypt it. The reason for this equivalence is to do with the types of attacks involved in decryption: brute-force relies on repeatedly trying many encryption keys. It is the case that for any algorithm and key-size in common use, even a high-end super computer should not be able to guess the key in a reasonable time-frame [2] . If they can, then this is an issue as large bot-nets (essentially "hijacked" computer networks) exist [3] which should similarly be able to perform this kind of operation on retained data. If, on the other hand, it is a theoretical vulnerability with the encryption algorithm then everybody's data (whether relevant to this bill or not) is vulnerable to anybody who discovers the flaw as it is a mathematical mechanism.

5. It is worth highlighting the impossibility of preventing anybody, criminal or not, from creating either from scratch or using an existing project as a base their own encrypted messaging system. Software messaging systems are not particularly complex in and of themselves, there are numerous examples [4] of them which are freely accessible and the source codes for which are highly distributed. Swapping out an encryption algorithm for another (there are many [5] ) when you have the source is a fairly trivial task but cracking that encryption is much harder. A criminal organisation may also communicate only after connecting through a network like Tor [6] (essentially a peer to peer proxy network) thereby making it extremely difficult if not impossible to figure out who they are communicating with using typical methods involving the communicators' host information/IP address to locate their ISPs and introducing a massive potential for false positives.

6. This shows us that we cannot store this data any more securely than a terrorist organisation could communicate – the retention of this kind of information therefore primarily is only likely to increase the probability that a criminal steals a member of the public's information. It is also likely to be extremely costly to recover this information if it's possible at all.

7. Provisions for "The removal of electronic protection applied by a relevant operator to any communications or data"

As I discussed previously in section 2.2, aside from this idea potentially violating people's rights, it is most likely not even very useful. The person who "controls" the electronic protection in a secure messaging system is the client themselves (refer back to my side note in 2.1 with regards to public key cryptography). In this case you would be asking the suspect to remove their own encryption, at which point you might as well just sieze their device. It would take a fairly foolhardy would-be terrorist to plan an attack through Facebook. Consider the ethical uses for encryption by ordinary citizens: remote computer access, secure payment transmission and private communication – these all add massive value to the use of the Internet and the Web. Businesses rely on these functions being unimpeded in order to provide secure services to users. By forcing businesses to provide mechanisms to undermine security in these areas, you undermine the fundamental nature of many services.

March 2016

[1] Some specific examples: , . Here's an aggregate visualisation of leaked data through "hacking":

[2] – by which I mean before the heat death of the universe or possibly the time quantum computers become useful

[3] - this botnet controlled 25,000 computers. While it is difficult to estimate the potential computational throughput of such a network, it should put it on the same order of magnitude as a super computer for this kind of task

[4] this project has 516 forks, i.e. duplicate source code repositories, on Github alone and so likely exists on hundreds of people's machines.




Prepared 24th March 2016