Will They Hack Us? Will They Betray Us?

London, United Kingdom (PI) – The relationship between users and companies is based primarily on trust. However, many recent developments have the potential to undermine this trust and to question companies loyalties to their users. From excessive data collection and transmission to the failure to guard against basic security risks, one could be forgiven for thinking that the privacy and security interests of users and devices have taken a back seat. Governments of the world are unilaterally endeavouring to make this situation even worse – and the UK Government is leading the way, yet again.

Investigatory Powers Bill and Companies

With the publication of the draft IP Bill, the enforced systematic betrayal of users by companies entrusted to keep our personal data secure is one step away from reality in the UK, and potentially worldwide. The IP Bill is a response to the outrage and illegalities of the intelligence services of the UK and seeks to give the UK Government unprecedented powers over our devices, networks, and services. We are poised to descend into an era where there are no safe places for us to communicate beyond the reach of the UK Government.

Trust is fragile

People’s trust in the devices, networks, and services is constantly threatened by unintended errors or bugs. These are mistakes in software and hardware that can allow a device to be used in a way that was not intended or anticipated by the user or manufacturer. These bugs may give rise to vulnerabilities and be exploited by third parties. It is a constant struggle for software developers and testers to discover and fix these bugs before they are used for malicious purposes. It can take time and resources for these to be fixed, and some never get resolved.

Some of these bugs affect the security and privacy of our communications, while others leave our devices more susceptible to malware. Despite such risks, out of necessity, we resort to placing fragile trust in the companies to build secure systems, report and mitigate bugs, and have a predominant interest in protecting us and our data. It now seems that we not only need to worry about unintended bugs and bugs that are too costly to fix, but also Government-mandated vulnerabilities.

Ending End-to-End Encryption

Encryption has been around for millennia. Many adjectives are used in modern discourse to describe certain of encryption: strong, weak, military grade, etc. None of them have any real meaning. Lawmakers have nonetheless begun to categorise certain types of encryption as: “encryption so advanced not even the service provider can break it“. This description is worrying because it demonstrates a fundamental lack of understanding of encryption technology.

The encryption the lawmakers are referring to is so called “end-to-end encryption” where only the intended recipients of the communication can read the message. The notion that this is a new and advanced form of encryption ignores the fact that such encryption was discovered in the 1960s. It is deceitful to claim that this is some new technological advance.

There is generally no technological necessity for a service provider to be able to read our communications, and yet infrastructure has developed giving service providers this access. Many modern service providers want access to the contents of our communications and documents for a variety of reasons, including to serve us advertisements. Google does this. Even Apple, which has claimed to implement end-to-end encryption for iMessage and Keychain has not done so for our documents stored on iCloud.

And companies connected with the UK may be about to be deprived of having the choice to deploy end-to-end encryption. The UK Government has now proposed legislation to give itself the power to compel service providers to maintain a backdoor, giving the Government access customer communications. As Clauses 189 and 190 of the recently introduced draft Investigatory Powers Bill demonstrate, this power and it is extremely broad:

It is important to note how this power could be used. In the first instance, an operator is served with a notice to maintain the technical capability to intercept encrypted communications. The operator must then take all reasonable steps to ensure this capability is achieved and maintained. This is to allow the operator to later implement interception warrants under Clause 29 and 31. However, Clause 31(6) makes it irrelevant whether or not the operator actually maintains the interception capability, and the failure to comply is on the basis of what the operator should reasonably have done under Clause 189.
Open Source to Protect Rights?
These changes should be detected in software and services that are freely available and open source where independent verification of the security can be performed. However, many open source projects fall under UK jurisdiction and the powers sought by the UK Government would apply to any person who can facilitate the interception, or as shown below, hacking. This would include the likes of Ubuntu and Firefox, which have offices in the UK. We have also seen how the US National Security Agency uses itsinfluence and financial might to infiltrate open source projects and security mechanisms for its own ends. This demonstates that we not only need to be vigilant of these public resources, but that “Equipment Interference” aka Government Hacking comes into play to circumvent measures we employ to protect ourselves.
Hacking Users
What if a user downloads an open source application that provides end-to-end encryption? The UK Government is touting another potential circumvention of this security measure – hacking. The UK Government wants the power to hack an extremely broad set of devices under Clause 83, including devices owned by people engaged in “an activity”:

And it wants the power to compel service providers, such as Apple, Google, Facebook, and Twitter to hack their users on behalf of the intelligence services and law enforcement:

So now, Apple may be ordered to backdoor iMessage and also serve malware to any user who installs an open source secure messaging application such as Signal, for example. Under Clause 99, companies can be served with a warrant requiring them to assist in the equipment interference of their users (aka hacking their users) by, for example, facilitating the installation of malware.
Companies and persons can also be compelled to remove other electronic protection measures to facilitate the hacking, which would include interfering with Data Execution Prevention, Address Space Layout Randomisation and Anti-Virus, or other electronic protective measures that we have all been promoting people to use for decades in order to keep their data and computers safe and secure. The assistance of any person, company, or organisation can be legally enforced if effective service of the warrant is possible. This assistance requirement is extremely broad and not expressly constrained by the Bill in any way.
What’s the harm?
Any company with an office in the UK or that is capable of having a warrant or notice served on it would be subject to the increasingly hostile legal atmosphere that would be toxic from a security and privacy perspective. In reality, even if some of these more draconian measures do not make it into the final Bill, the mere expression of desire for such powers by the UK Government is extremely concerning.
Such hacking power bestowed on the UK Government will undermine the security of the entire internet not only within the UK, but globally. Should the Bill pass in its current form, the integrity of any update received from Apple, Google or other provider would be in serious doubt. If this update doesn’t install the back door, will the next one? If they are unable to install a backdoor now, how long before they will install it?
Over the course of the last few years, live demonstrations using freely available penetration testing tools have highlighted the stark realities of hacking to many who have struggled to see its destructive potential. Mimicking one of the infection mechanisms of FinFisher or Hacking Team, the hacking tools of choice for many repressive regimes and undemocratic states, a user is presented with a fake update to a well-known piece of software to install the malware. After all, that’s the security advice we are all given – keep software up to date. Users are unable to distinguish between a real update and an update that will install the malware.
However, following many live demonstrations using this avenue, the inevitable question comes from the audience: does this mean I shouldn’t update my device or software? The obvious answer is that you have no choice but to update, but updating software should not come with increased risk of the UK Government, or indeed other governments who follow the UK’s lead, hackers, and spies, gaining access to your private communications and data.
Image Source: uıɐɾ ʞ ʇɐɯɐs, Flickr, Creative Commons Happy Hacking Keyboard Professional 2

Image Source: uıɐɾ ʞ ʇɐɯɐs, Flickr, Creative Commons
Happy Hacking Keyboard Professional 2

International Gold Standard of Surveillance

The message that the UK Government is sending through these proposed powers to other state actors is extremely worrying. With the UK Government proceeding with its offensive capabilities at the expense of the security and privacy of the general public, who can we turn to? Many of the companies providing the operating systems of our devices are within reach of UK law: Google, Apple, Microsoft and Ubuntu. The foundations of our devices are thus under threat and this sets a precedent for other countries to compel international companies to betray their users at the expense of us all.
What Next?
It is now time for the giants in IT and Telecommunications to come clean about whether they will install back doors to encryption and facilitate the hacking of their users who place a great deal of trust in them. Will they hack us? Will they betray us?
This report was prepared by Dr Richard Tynan for Privacy International.