On Friday November 27th, the Open Technology Institute submitted written testimony to the UK Parliament’s Science and Technology Committee on the Investigatory Powers Bill currently under debate. While there are many problematic aspects to the bill as it is written right now, our comments focused on the issues raised by what the bill terms "Computer and Network Exploitation" (CNE) but which we would refer to as “hacking”. The bill would authorize the government to hack into people’s devices, including desktops, laptops, smartphones, and even (for example) network connected cameras or other Internet of Things devices. Even further, the bill contemplates “bulk” hacking, or subverting large number of people’s devices at once. These proposals are troubling, particularly given the ways in which the UK bill implements them. Our testimony offers four points that we hope the Parliament will consider while debating the hacking provisions.
- Encryption is a positive force for individual’s private data and the network as a whole
Before diving into the meat of the hacking debate, we couldn’t resist mentioning encryption while we had the chance. Encryption is vital for the health of the entire Internet. It protects average users’ information, secures all of the commerce that now travels over the Internet, and builds trust for all of us in the network. Experts agree that subverting the whole system without upsetting the applecart is not possible and that any backdoors demanded by government will quickly be found and exploited by criminals and foreign states. OTI has also discussed this issue before in blog posts, testimony, and research papers.
If CNE will be used, it must be narrowly tailored and used as a last resort
While we don’t necessary agree that hacking ever ought to be a province of government, if the UK is going to proceed in such a way, it must put into place the necessary procedural protections. Hacking should be used with judicial authorization, and only after it is shown that the government has already tried every other means of getting the information they need. The authorization should also be limited in time and require the minimization of non-pertinent information.
Bulk CNE is incompatible with privacy and safety of average citizens and should be prohibited
The proposal currently before the UK Parliament contemplates that the CNE power could be used in bulk – that is, targeted at many users’ devices – even if they’re not directly suspected of any crimes. This sort of bulk hacking is dangerous from a cybersecurity perspective, as it would require the use of vulnerabilities in extremely common software that ought to be disclosed to the software maintainer and fixed, rather than exploited. It is also completely inconsistent with human rights, as all of the information – and our mobile devices today contain phenomenal amounts of personal information – about every user hacked would suddenly become available to the government.
Companies must never be forced to use auto-update mechanisms to insert vulnerabilities
Because many of the popular companies making devices today have implemented the best practice of auto-updating software, particularly for security updates, governments looking to hack may be tempted to force companies to insert vulnerabilities using those systems. They must never be allowed to do so. Such an approach would severely compromise cybersecurity by making users question the safety of automatic updates or even all updates in general. Such a suspicion would undo all of the good that has been brought about through the recent years of progress on updates to users.