Investigatory Powers Bill

Written Evidence submitted by Tirath Bansal,

Director, Myorb Limited, developer of myorb.com (IPB 15)

Investigatory Powers Bill

Summary

1. The Investigatory Powers Bill and in particular the Equipment Interference Code of Practice is a total removal of privacy across every facet of our lives. It co-opts every existing, emerging and future UK tech startup into being surveillance entities for the state through vulnerable ‘backdoors’ imposed by and accessible by the state at will and also hackable by anyone, including those with the nefarious intentions from whom we wish to protect ourselves from.

2. The Equipment Interference Code of Practice is highly unlikely to be effective in the fight against terrorism, child exploitation or any other universally reviled activity.

Introduction

3. I am Tirath Bansal, Founder and CEO of Myorb Limited.

4. We are a fledgling British tech business about to launch myOrb.com, a cloud service able to accommodate the entire digital world of its users. Researched and developed in Britain, myOrb is amongst if not the most advanced web application in the market.

5. We have worked hard like many others to create businesses which can strengthen the British economy.

6. We are moving into a new era of web technology and Britain is set to be a leader in many the Internet of Things, Big Data, and Artificial Intelligence to name a few, each with substantial export potential.

7. Success is these industries is based upon ensuring the privacy and security of people’s information, communication and collaborations. The relationship is based upon trust which in turn requires safeguarding user’s information.

Equipment Interference Code of Practice

8. Building backdoors into software may seem like a logical solution to the difficult challenges we face. However it is not that simple. As humans we naturally know how to protect and defend ourselves against attack. Attackers know our vulnerabilities and utilize their knowledge to successfully harm us.

9. Software development is no different. Software developers know how to build secure systems able to protect user’s information. Hackers know how to attack software and identify vulnerabilities. It is counter intuitive for software developers to build back doors which are safe and only accessible by the authorised agencies. The backdoor will be available to everyone including other nation states or hacking groups with nefarious intentions.

10. This problem is highlighted in the current dispute between the FBI and Apple. The case has been postponed because a third party believes they are able to hack the iPhone belonging to Syed Farook one of the San Benardo terrorists, something Apple was not certain that it could do. Further to this the backups Farook had made of his iPhone showed no terrorism related communications.

11. Ars Technica reported that the Paris bombers used ‘burner phones’ or phones they used once and threw away, activated just as they were about to carry out their appalling acts.

12. In the subsequent investigation many unused phones were found and many others used in the attack were left discarded. It was discovered that not a single e-mail or online chat message from the attackers was found on them.

13. This suggests that the attackers knew such communications are routinely monitored by intelligence agencies. Rather than trying to avoid discovery by using obscure services or even encryption, which would in itself have drawn attention to them, they seem to have stopped using the Internet as a communication channel altogether.

14. The experience of the Danish government in trying to implement similar bulk surveillance capabilities concluded that the data surface is too large to be of use.

15. The argument that everyone’s communications must be weakened in order to tackle terrorism is weak and far from proven.

16. The practicality of imposing an order on a business is also fraught with difficulty. The public will become aware of the bill and rightly assume UK tech businesses are compliant. Also it is difficult for a backdoor to be built without the knowledge of the majority if not all of the development team in a small business. Over time gagging orders will be inadvertently breached as they will become an open secret.

17. This will ensure that no one will want to work in large swathes of the UK tech sector which is populated predominantly by smaller business for fear of being criminalized, forcing companies to move overseas.

The retention and examination of bulk personal datasets

18. In principal we are not against the retention of data for a period of one year. It is a responsibility we accept as it is required to capture and prosecute those who seek to harm us. However it must be defined which agencies have the power to access these records and

19. to some extent for what purpose, as this would be a concern to our users and damaging to our business.

20. There is also a significant cost attached to the retention of records and to present them in a useful format. For a small business these will need to be reimbursed to ensure our success is not encumbered.

Interception, acquisition of communications data, and equipment interference powers are provided for both on a targeted basis and in bulk

21. The powers sought in the bill must be targeted and not thematic. Bulk warrants go against the principles of the Rule of Law.

22. Britain throughout its history has been a beacon of hope to the world on human rights, freedom of speech and its sense of fair play. The bill deviates far from these principles by allowing bulk interception warrants, bulk equipment interference warrants and targeted interception warrants without the need to demonstrate criminal involvement or a threat to national security. The bill affords domestic law enforcement, as well as security agencies, access to these hugely intrusive capabilities. The bill means the state can access your information not just from your phone or computer but your smart home and smart car and anywhere else we will soon be using technology. This is an unrecognizable environment given our history and ideals.

23. We must uphold our historic principles whilst at the same time ensuring that we meet and surpass our responsibilities to protect society from terrorism, child exploitation and any other universally reviled activity. We want to achieve this without compromising the safety of our user’s information or their human rights and under the rightful authority of judges for only the appropriate and specific agencies involved.

24. The consequences of the bill have not been considered and the effects will be counterproductive.

25. Such sweeping powers cannot be helpful when it simply means the activities we wish to protect ourselves from, simply move outside our borders and control whilst simultaneously destroying the UK tech sector by removing its trustworthiness.

26. The frequency of requests to help fight terrorism and child exploitation are not unmanageable on a case by case basis under the authority and control of Judges. It doesn’t need to compromise the rule of law nor the success of the UK tech industry.

27. The battle against terrorism and child exploitation has moved online and we need to transfer the battle online. The security, intelligence and military agencies have always had their rules of engagement. We need to transfer those rules of engagement to the web.

28. We are here to help with the fight in any way that we can. We are responsible citizens.

29. What is wholly wrong is to destroy Privacy for everyone. These are precisely the freedoms we are trying to protect.

30. We need separate and distinct rules of engagement for domestic law enforcement and separate ones again for tax and civil disputes. Currently different ministries have different rights to access our information, it’s not a one size fits all purposes. Access must be proportionate to the need.

31. The Investigatory Powers Bill needs to define exactly what it is trying to achieve. The focus should be on terrorism and child exploitation, separately and concurrently. The powers that are needed to achieve this and the departments which need the information must be decided with the consent of society and debated fairly.

March 2016

 

Prepared 24th March 2016