Investigatory Powers Bill

Written evidence submitted by Brass Horn Communications (IPB 08)

Brass Horn Communications is a small, non profit, Internet Service Provider that supplies secure Internet services to members (e.g. secure email, secure shells). It also operates one of the larger UK Tor (https://www.torproject.org) relay families so as to provide privacy enhancing Internet access to people all over the world.

Internet Connection Records

1 Internet Connection Records (ICRs) are an intrusive form of mass surveillance that would (collaterally or by design) document every application used on a individuals phone, tablet or computer, every website they visited, every device in their home and much more. These records, despite what the Home Secretary and others have said, would tell as much about a persons life as the actual content of any communications (which is disingenuous in and of itself as more and more communications content is encrypted).

2 Privacy conscious individuals (and those possibly of interest to the Security Services) would easily be able to obscure or completely hide their ICRs using a variety of technology, thereby rendering ICRs mostly useless for their purported use. The vast majority of actionable ICRs will be of innocent and vulnerable people.

3 Technology to protect peoples privacy will become more prevalent as barriers to entry drop and the demand increases.

4 The Home Office (and other entities such as the National Crime Agency) have suggested that ICRs could be used to trace whether a child was using a particular form of social media prior to their disappearance. Requiring mass retention of ICRs for such purposes is excessive as such information could easily be obtained from simply talking to their friends or their parents. The idea that the entire UK populace should be surveilled so the Police can check if a child used some of the most popular social media applications in existence is fallacious.

5 Internet Connection Records are poorly defined and the Government should (if they won't drop them entirely) clearly state, using industry standards and applicable references to RFCs, what they intend to be retained.

6 Several CSPs (Brass Horn Communications included) intend to challenge the Home Office and will refuse to generate or retain anything resembling ICRs. Many are already developing new technology to help people protect themselves from such mass surveillance.

7 Internet Connection Records and any other form of suspicion-less mass surveillance should be removed from the bill.

Encryption

8 By mandating the "maintenance of technical capability" and by not constraining the powers contained within a "National Security Letter" no UK company can be trusted to secure their communications, their software or their hardware products from state interference.

9 Regardless of the Home Office's stated intentions these powers could be used to undermine the cryptographic protections of messaging software, Virtual Private Networking equipment, SSL secured websites (banking, e-commerce or messaging e.g. the US email service LavaBit) or allow 'backdoors' into hardware such as firewalls and wireless access points.

10 Even as a UK company ourselves we would no longer trust or buy any form of security product from a company subject to the Investigatory Powers Bill. We expect that many others (especially those in other countries) would feel the same. This will have an impact on British industry.

11 With the collateral impact to British industry in mind these powers would still be ineffective as there are already well defined methods and software options in use by many people (ourselves included) that cannot be compromised by a warrant, a National Security Letter or any other form of warrant (short of s.49 RIPA notice issued to the recipient). People will still be able to communicate with unbreakable encryption regardless of what laws are passed.

12 Powers that could be used to undermine encryption are overreaching, damaging and will not prevent those who wish to encrypt their messages remaining secure from Government interference. These powers should be removed and explicitly prohibited if enabled by previous interpretations of prior legislation.

Gagging Notices

13 Brass Horn Communications (and many other entities) maintain what is known as a warrant canary; https://brasshorncommunications.uk/canary/ - this allows us to demonstrate to our current members as well as potential new members or users that we are not currently subject to any form of Government warrant.

14 Were we to be issued with a warrant, we would be forbidden from directly disclosing this fact, but morally we would have to 'kill' our canary and we would. This is not strictly a disclosure as we understand it but under the proposed laws we might be prosecuted for simply telling the truth.

15 The Home Secretary's statement that 'bad guys' shouldn't be able to choose a CSP that isn't subject to mass surveillance warrants cast aspersions on all other privacy conscious individuals who don't wish to give their money to a business who would willingly spy on them (e.g. British Telecom and the Phorm fiasco or TalkTalk and their 'Family Friendly' censorship).

16 The bill should not make it an offence to disclose any obligations forced upon a CSP by the Government. At the very least a CSP should be able to discuss these forced obligations in broad terms.

Equipment Interference

17 It is objectionable to compel CSPs to assist with Equipment Interference.

18 We've seen in the Snowden leaks that GCHQ et al attacked innocent individuals and legitimate businesses. They undermined their equipment security for tenuous reasons and by granting this power we could see more innocent individuals or businesses targeted by Police or the Intelligence Services. These reasons could be as poor as whichever reasons the Metropolitan Police had for using powers against the families campaigning for justice.

19 Customers trust their CSP by allowing their equipment in their homes or by choosing their equipment to protect their business. Compelled assistance with EI is abhorrent, should be removed from this bill and explicitly prohibited if enabled by previous interpretations of prior legislation.

20 Equipment Interference powers are too powerful for such poorly constrained entities (e.g. certain elements of the Police and elements of GCHQ such as JTRIG) so should be removed or severely limited and explicitly prohibited if enabled by previous interpretations of prior legislation.

The Filter

21 The "Filter" is an ominous piece of technology, it would allow unprecedented access to the meta-data of peoples movements, communications and more across the entire spectrum of their digital lives. It would allow for "parallel construction" of evidence to create criminal cases in an unprecedented way.

22 We've seen RIPA powers used to spy on school catchment areas and for the use of recycling bins. We've seen the Police National Network used to spy on ex-partners and the filter is far far more powerful.

23 The state would be able to track / identify everyone who was near a given area, visited a given website or contacted a given person all seemingly without a warrant.

24 Imagine the level of isolation that could be enforced on the friends and family of people who stand up to the State if it (or a 'rogue' officer) followed the GCHQ JTRIG mantra of "Destroy, Deny, Degrade, Disrupt, Deceive". Without a warrant they could identify every person who met or communicated with their target and then use Equipment Interference powers to damage their equipment, to spy on them, harass them with arrests or simply verbally indicate their when and where – these powers could be misused just as the powers contained in RIPA or Stop and Search have been misused and not just by the odd "bad apple"; the National Crime Agency was using illegal warrants to search property for over 5 years.

25 The Filter gives the state true panopticonic powers with what appears to be little or no oversight.

26 The filter should be removed. If the state is to have bulk retention powers (which we would argue it should not) then the information should be gathered with individual, narrowly defined, warrants put before a judge.

March 2016

 

Prepared 24th March 2016