UK surveillance law raises concerns security researchers could be 'deputised' by the state Provision in the UK's controversial surveillance laws create a potential means for the UK government to press-gang "any" UK computer expert into working with GCHQ. Computer scientists and researchers are concerned about the provision - even though the consensus is that it is unlikely to be applied in practice because it would …
"Anti-slavery legislation might trum [sic] warrant. It could be an interesting situation."
Anti-slavery legislation is just legislation, open to being overridden by subsequent legislation. We're not talking about the US where they have an anti-slavery clause in their constitution which will trump (with a small "t") any legislation.
I would tell to sod-off and i would ABSOLUTE WITHOUT
HESITATION IGNORE THE WARRANT NO MATTER WHAT!
My info would be all public 7 seconds into the conversation
and since I HAVE one of the BEST computer security systems
IN THE WORLD because I went UTTERLY NUTSO designing
and building it, they are toast!
Custom fabbed CPU/GPU. Check!
Custom Rad-hardened, TEMPEST-rated, EMP-proofed,
and custom AC/DC-surge protected Motherboard and UPS
in a Messahed Faraday and Copper Plate cage. All Check!
Custom BIOS. Check!
Custom Assembler and Compiler! Check!
Custom OS and Applications! Check!
Custom Network Hardware. Check!
Custom Network Stack, Custom Java, HTML, Python, SQL Implementations. ALL CHECK!
Custom Database engines. Check!
Custom Anti-Virus. Check!
Autonomous 500 cameras Infrared, UV, Optical, MM, Xray,
Gamma, Acoustic, RF sensing and imaging. Check!
Weight, Olifactory, Beam-based and Air Current Sensors. Done and Check!
65,000+ Objects per second object detection and recognition. Been There. Done That. Check!
.60 CAL (not .50 .... .60! ) CAL
aka Do you Feel Lucky Punk? Go Ahead Make My Day! Check!
No one is telling ME what to do!
So let's see
a) Govt can spy on everyone in the UK and if necessary target security researchers looking for references to interesting results.
b) Minister issues warrant to request the information.
c) Govt issues gagging order so researcher cannot tell anyone they've been forced to cough it up.
It's just a "coincidence" that all these different provisions work together to achieve this result.
It's starting to look as if the writers of surveillance legislation (THE PATRIOT Act would be another example) seem to be using obfuscation methods akin to malware writers to evade scrutiny by AV systems. IOW
Civil servants writing surveillance legislation --> Malware writers.
[I'm the same person mentioned in the article. Thanks to everyone for the article and the opinions you provided.]
Yes, this is one of the methods I was thinking of. We know GCHQ does pattern matching across Internet traffic and I strongly suspect people doing research on a vulnerability generate their own type of Internet activity pattern. How do we know GCHQ are not looking for those patterns in order to identify people of interest to them ?
As for the opinions offered, what's alarming here is that the experts asked offered a range of opinions from maybe there's a problem here to no, it's telecoms operators only. When even the experts can't agree on what the law means then that's a law which is open to having it's scope stretched and otherwise abused in years to come.
I'm still concerned about the wording though. Many parts of the law are very clear on what the scope of that part of the law means but this part of the law simply uses "any person" without any explicit constraint.
I'm still concerned about the wording though. Many parts of the law are very clear on what the scope of that part of the law means but this part of the law simply uses "any person" without any explicit constraint.
Firstly, even though I am not likely to be affected by this law (wait till NZ's government looks at it, and figures out a way to come up with an even stupider version!), much thanks for taking the time, effort, and potential risk of exposing something that really could be a problem. Whistle blowers often get abused and ignored until well after the event they warned about, and even then seldom get the deserved recognition :( Often this stuff makes people think "more hassle than it's worth", so thanks for taking the time!
Unfortunately what the "experts" quoted in the article missed is the stuff like the passwords thing "Andrew Jones 2" mentioned, and the way governments like to make a specific law to cover a small area, see how "well" it works, and expand it beyond all sense or recognition to cover other things not even remotely envisaged by the original authors of the act (or sometimes originally planned, but they knew they had to do it in stages; the public would lynch them if GPS tracking for all citizens was tried at first but GPS tracking for paedophiles, then murderers, then those with repeated violent assaults, then...). Anyway, what these people have missed is that where a law can be twisted or abused by someone on the prosecution side, it will. Where a minister can make it mean something never intended, they will. Where it can cause someone to be forced to do something they wouldn't otherwise do, it will be done. Even when the law is pretty clearly worded to exclude certain things or only include a specified limited set, those boundaries will be pushed long before the ink has dried.
Maybe some public backlash will lead to some sorting of these things, but sadly I doubt it will get far, not without something more major in the "public backlash" - and that's not likely to happen while there's reality TV and cooking shows to be watched :(
But thanks muchly for doing your part.
Kiwi, thank you and you are welcome.
As regards your laptop question, it's an interesting question and quite honestly one I had not considered.
However, having quickly thought about it, my instinct is that even I don't think the government could get away with twisting the law to that level to target you as a private person in order to get access to equipment you own.
However, I still have concerns about general communications networks operated by large companies and organisations because I do believe it's far easier to twist the telecommunications operator definitions I quoted above to cover them.
"As regards your laptop question, it's an interesting question and quite honestly one I had not considered."
Or something like Asterix
Asterisk is the #1 open source communications toolkit.Asterisk powers IP PBX systems, VoIP gateways, conference servers, and is used by SMBs, enterprises, call centers, carriers and governments worldwide.
It sounds more like it's about telling you to keep your mouth shut about vulnerabilities than asking you to find some for them.
For example, suppose GCHQ are exploiting a vulnerability in the telecoms gear in Berlin to monitor cabinet conversations in the German government. GCHQ know from reading the literature that you've published previous papers on related security research. They then serve a warrant on you telling you to "assist" them by running anything by them first before publishing it. If you start getting warm with regards to a vulnerability that they're using, they'll tell you to "assist" them further by stopping work in that direction and not to publish anything about it. The warrant will also forbid you to say that there's even a warrant. That protects their ongoing use of that vulnerability.
The sort of equipment we're talking about is expensive and not in the hands of the general public, so the number of independent security researchers working on that problem domain will be very limited. Keeping them muzzled would not be difficult, given the tools described. The fact that nobody seems to know what the law actually means in practice is unlikely to be an accident, as they have an ingrained reflex against revealing that they even want to do stuff like this.
They could be doing this right now, and there's no way for you to tell.
So you're hired by the company to fix these problems and they tell you about areas where their systems are weak. They have got you to agree that you won't tell anyone about the problems, naturally.
You'd have to keep your job secret from GCHQ or they will force you to spy for them. Keep your job secret from GCHQ eh?
You'd have to resign whilst hoping the company figure out why.
It might be interesting for people to check out what a telecommunications operator is actually defined as - it's far more widely scoped than people might think.
Section 261, paragraph 10 defines a telecommunications operator as not only the person who runs the service but also any person who has control of a telecommunication system. That latter bit would seem to me to include any vendor who has access to the system as part of (for example) normal support operations.
The rest of that section is well worth a read as some definitions are not what you may expect.
For example, a "telecommunication system" in defined in paragraph 13 as:
“Telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.
and "Communication" is defined in paragraph 2 as:
“Communication”, in relation to a telecommunications operator, telecommunications service or telecommunication system, includes—
(a) anything comprising speech, music, sounds, visual images or data of any description, and
(b) signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus.
As far as I can see, that definition not only includes what a reasonable person would consider to be a telecommunications system, but also something like a messaging system running on (for example) a z/OS mainframe, which if true would also place normal mainframe systems under the scope of this part of the act.
It might be interesting for people to check out what a telecommunications operator is actually defined as - it's far more widely scoped than people might think.Section 261, paragraph 10 defines a telecommunications operator as not only the person who runs the service but also any person who has control of a telecommunication system.
“Telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.
Couldn't that include any computer connected to any network? For example the laptop I am typing this into is "apparatus comprised in" the internet, and it's main use is to "facilitate the transmission of communications", eg this very message.
My reading of what you've posted would put any connected computer into that scope, though there may be limits elsewhere in the act or UK (case)law that I haven't read
This post has been deleted by its author
How could the gov't know you've found a vulnerability until you publish it/tell the vendor? Me thinks horses, gate, bolted.
Brit Whitehat to MS > "Hey, I found a serious bug that could allow remote execution. I'll give you till the end of next month to fix it before I go public"
MS > GCHQ "You can use this to hack someone's computer, but Brit Whitehat is threatening to go public. I suggest you shut him up"
GCHQ > Brit Whitehat "Shuttup about this or else".
Chinese Blackhat > [snigger] "They still haven't fixed that flaw. Oh hey look, T May is about to use her government-issue credit card. Lets have some fun with this!"
It won't matter if the act violates human rights. After Brexit you can bet that May has her sights set on the ECHR. Then when she has done her best to destory the checks and balances put in place by the those who faught in WW2 to stop Europe back sliding into the 1930s, she'll be able to do as she pleases.
I watched the "May vs Corbyn Live the Battle for Number 10" programme and by god she is creepy as fuck with that "Oh, I'm afraid the deflector shield will be quite operational when your friends arrive." smile she put on throughout the show.
.
P.S. Make June the end of May.
"Make June the end of May."
Saw a neat voter TLA the other day. An "ABC" - "Anyone But Conservative".
Having thought long and hard about it I will be gritting my teeth to vote Labour in the hope of swinging our constituency towards a hung Parliament***. Theresa May is looking like another Trump - except she has the Royal Prerogative giving her more power than a POTUS.
*** unfortunately a pundit has suggested that a hung Parliament means Theresa May being would be kept in power by the religious fanatics in the DUP.
Nice.
Time to recall the Lib Dems were runners up in 63 seats and about 37 of them went to the Conservatives, the rest to Labour and the SNP. Time to consider "going tactical" ?
Pre Election the Conservative Party had an absolute HoC majority of 17.
What would be a real ROTFLMFAO moment would be if the a)Lost the majority or b)Came back with a smaller one. One of those "We managed to snatch defeat from the jaws of victory" moments.
Note however that anything short of a defeat (by however many seats) still puts "President" May in the big chair for the next 5 years.
In theory.
However partial success implies partial failure and the Tory party is not very sentimental or tolerant of either.
The only question would be who gets to star as "Brutus" ?
"I expect to see a lot of researchers putting up warrant canaries if this ever happens."
This is not a problem for the government. Australia has already outlawed warrant canaries for some situations. If your legal system allows the government to outlaw revealing the existence of warrants then outlawing the revealing of the non-existence of warrants is but a short step.
"And what happens if they are asked a direct question about vulnerabilities? Are they legally required to lie? Even knowing that people will suffer loss due to their false reassurance?"
You don't have to lie; "I can't answer that for legal reasons" would probably be a legal response. If further asked what those legal reasons were then "I can't answer that for legal reasons" is, again, going to get the job done. It's going to convey much the same kind of impression as the phrase "helping the police with their enquiries".
So let me see if I've got this right.
Honest researchers trying to improve security and protect ordinary people from criminals will be silenced if they happen to stumble on vulnerabilities that the spooks are also using (I don't believe for one minute the spooks will be first to discover).
However, criminals using such vulnerabilities will now be actively protected by spooks not wanting these made public.
Therefore, I can only conclude that we now have a criminal government.
...WHY this proposal was made by GCHQ.
It all harks back to the reason that we have 'state security' bodies in the first place. Why don't we just have police forces, who can be just as suitably equipped and staffed? The answer is that the Security Services and the interception networks that they use were designed to operate OUTSIDE the law.
These bodies were set up during wartime - WW1 and later WW2. In those conditions, where a spy might be directing an invasion, there was neither the time nor the desire to go through the process of obtaining a warrant for every action. People could be arrested and retained without charge for an indefinite period. People's mail could be diverted or opened at will. If due legal process had to be followed, there was the risk of warning the suspect, or losing valuable time.
This culture survived after WW2 into the Cold War. And so long as it was only 'Russian spies' that these powers were being used against, no one cared too much about the fact that legal principles were routinely dispensed with.
Now the Security Services have run out of the traditional justification for their jobs, and are trying to maintain their staff and budgets by moving into straight criminal activity - the kind of thing the police ought to be doing. But they are still maintaining their 'Cold War' culture. Note that they often don't want to offer evidence 'for fear of revealing sources and techniques'. That is a WW2 justification. They operated widespread communications interception - a WW2 tactic, and had to have it retrospectively legalised when it was discovered.
One of the lesser-known laws during WW2 was one which stated that ANY invention could be impounded by the military and suppressed or used without compensation if that were deemed necessary to the war effort. Again, a rule which makes sense in wartime. But now I see it is being revived by the Security Authorities in peacetime - 60 years after WW2 and 30 years after the Cold War ended...
"People's mail could be diverted or opened at will."
The Royal Mail was set up by Charles II as a monopoly to ensure that everyone's letters went through a central sorting office. The office's secret task was to open letters, copy their contents, and reseal them without any tampering being visible. Thus suspected plotters could be monitored. The Royal Mail museum apparently still has some of the original copies.
That practice predates actually winning the Revolutionary War in the US and "more limited" version continues to this day at least for the "metadata" which is collected on every letter or parcel today. I do wonder if that was the reason Benjamin Franklin created the US Postal Service.
An IT acquaintance was arrested by the police and his IT equipment taken away. He was targeted for a "fishing" raid because his name was in someone's address book - in an investigation that was stalled for lack of any actual evidence for its original allegations.
He was dumbfounded while still on police bail - when he received a phone call from the same police team asking if he could help them crack a hard disk in a different investigation.
(3)A copy of a warrant may be served under subsection (2) on a person outside the United Kingdom for the purpose of requiring the person to provide such assistance in the form of conduct outside the United Kingdom.
Mildly concerning. It's bad enough that my government can pwn* me, now the UK might be in line too? If I don't comply, does extraordinary rendition result so I do my time in your wonderful prisons? /sarc, I hope.
*- The US Navy, despite discharging me for medical reasons and really, really not wanting me back, retains the right to recall me back to the uniform with a simple signature. That puts teeth into the extremely lengthy NDA I had to sign before leaving. It was far longer than my enlistment contract.
I suspect I have encountered what this is about. If your working on telecoms or other infrastructure gear, and you find a vulnerability, then there are backchannel processes to report this to the vendor and all hell breaks loose if you don't obey them strictly. It also means its difficult to build a reputation for yourself which sucks on my cv but hey ho.
I have on occasion watched those processes kick serious issues into the long grass, and I ask myself how can they continue to use that equipment in good faith with it present, I continued to make a pain in the ass of myself about them on principle, but never publically or outside the channels. Don't bite the hand that feeds.
Lets just say knowledge of this juicy backdoor hits the spooks via responsible reporting process, and I receive a gagging order to stop me repeating myself to anyone who will listen in the company, where does that exploit fix go? who will have it to use in their armoury for free?
There's some other key aspects of it that ring bells too, but I won't go into them for privacy reasons. Your never truly anon unless you have taken real steps, and this is my regular account, even if I ticked the post anonymous box.
If you're in the UK then yes.
AFAIK the law is very general. If you're in UK jurisdiction it applies.
Now I think things would get tricky if you were (for some reason) either reactivated by the USN or in receipt of an NS letter about something you'd found.
AIUI the NSL would mean not only could you not tell GCHQ about your work but you could not tell them why you could not tell them about your work.
What happens next depends on how smart the person who's dealing with your case. A smart one will kick it up the chain of command to put in a call to Fort Meade. A dumb one will think you're simply being uncooperative and things will become stressful.
If you're in the UK then yes.
AFAIK the law is very general. If you're in UK jurisdiction it applies.
Are you sure? If you look at the page linked from the main article, subsection 3 says this:
(3) A copy of a warrant may be served under subsection (2) on a person outside the United Kingdom for the purpose of requiring the person to provide such assistance in the form of conduct outside the United Kingdom.
The experts who have discussed among themselves can think what they like - and I frankly find it surprising that they are even giving the Government the benefit of the doubt here. We all saw the writing on the wall with the "don't worry, the [you must give us any passwords we ask for] law will ONLY ever be used for anti-terror" - we all knew it would be used eventually for stuff that was not even vaguely related to anti-terror and sure enough, that day came and went - with very little media coverage.
If the UK Government have an over-reaching power, it doesn't matter what they claim it is for - it WILL be deployed on a frighteningly regular basis and it will be used for many many things that have no relation at all to the original reason they claim they needed the power in the first place.
Along with the plans for complete internet regulation, the existing stupid bill - especially with regard to the adult entertainment industry, and now this new plan - the IT industry is going to flee the UK within the next 10 years.
Britain, land of the allegedly 'free', has been under the thumb of the government, albeit unknown by most, for around a century and the Investigatory Powers Act 2016 simply codified their activities.
The good thing is they can't prove knowledge - no doubt they are working on mind readers now.
Human Rights includes privacy, Human Rights is a UN Treaty the UK signed up to. Who will protect UK citizens post-Brexit?
I believe this sort of thing has been going on for years.
I don't want to go into too much detail in case I start getting visits from well-suited men, but my mother told me a tale from probably a decade back that a son of a former colleague of hers was a few years ahead of me in University doing a software and microelectronics degree of some sort. The lad apparently stumbled upon a way to create a repeatable power failure in hardware. He posted on a few forums on-line asking for peer review, and within a few days all his posts vanished from the forums he posted to, and he had a visit from well-dressed men. His research and equipment was confiscated, but my mother told me he was then funded for a masters and went on to 'work for the government'.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
