UK surveillance law raises concerns security researchers could be 'deputised' by the state
Could govt press-gang you into 'helping'?
Provision in the UK's controversial surveillance laws create a potential means for the UK government to press-gang "any" UK computer expert into working with GCHQ. Computer scientists and researchers are concerned about the provision - even though the consensus is that it is unlikely to be applied in practice because it would damage wider co-operation.
The potential ramifications of the bulk interception warrants were brought to our attention by Reg reader Simon Clubley. More specifically, Clubley is concerned about the Bulk Equipment Interference Warrants section of the Investigatory Powers Act 2016 (section 190).
"If you are a security researcher in the UK and the government finds out you have discovered a vulnerability, then it appears you can be forced against your will to hand over your research to GCHQ. It also appears that if you then still try to warn the vendor after being served a warrant, the government can prosecute you," Clubley explained.
"It doesn't appear that you need to have any direct connection to the vendor in question," he added.
Clubley concerns stem from a reading of what he argues is poorly drafted legislation.
According to paragraph 2 of section 190 (Implementation of warrants), it looks like the government can force any individual within the UK (and against their will) to reveal any security vulnerabilities they know about to the government.
Note that while paragraph 5 of section 190 makes reference to the duty of telecommunications operators, there does not appear to be any such constraint under paragraph 2 about who can actually be served with the warrant in the first place.
This omission in paragraph 2 of section 190 is what appears to make this ability to issue a warrant forcing cooperation with GCHQ to be much more widely scoped than it would first appear.
El Reg polled computer scientists and security researchers for reactions to Clubley's analysis.
The concept of equipment interference is not new but IPA (unlike RIPA) makes it an explicit power. Prof Woodward, a computer scientist at the University of Surrey, said that experts had already spoken among themselves about the prospect of enforced co-operation before deciding it's unlikely to be applied in practice.
"Once a vulnerability is known about, I think your reader is correct in that anyone could be served with a warrant," Prof Woodward said. "In essence, I think this would oblige a researcher to turn over the information they have in order to assist with bulk equipment interference – theoretically this can include a researcher overseas. If you had an uncooperative researchers I’m not sure how you could enforce this."
He continued: "I agree with your reader that it has the potential to be a power to compel, via warrant, a researcher to assist in bulk equipment interference. It has not gone unnoticed and has been discussed amongst colleagues I know. I think the general consensus was that it would be hard to enforce, and in enforcing it you would probably render the very information they were attempting to make use of so public that it would become useless."
Steven Murdoch, a security researcher at the University College London and authentication vendor VASCO, noted for his research on payment systems and more, disagreed with Clubley's interpretation of the law. He said that section 176(5)(b) of the law modifies the effect of section 190 so that it applies to telecoms sub-contractor and the like rather than independent security researchers and the like who discover security vulnerabilities.
"The pass-down requirement is intended for sub-contractors rather than just any person," Murdoch explained. "That said, there isn’t a definite constraint on section 190 so it’s not clear what the actual effect would be. If it really does allow the government to compel any person to assist in mass hacking (bulk equipment interference) then it would be an extraordinary over-reach of powers."
He added: "I could quite understand this being a mistake. The IP Bill was extremely complex legislation, but went through Parliament far too fast to get proper scrutiny (see here)," Murdoch added.
Prof Woodward agreed that the practical implications of the law are still far from clear: "Much of the interpretation of the IPA [Investigatory Powers Act] will actually only become apparent when it is tested, which has yet to happen at any scale."
The security community would likely baulk at one of its members getting deputised to assist the authorities if news of this became public, but gagging clauses in the UK's recently introduced surveillance laws might prevent the issue becoming public.
Murdoch: "I think if any exercise of the powers to press-gang a security expert would be met with resistance from industry and civil society, but only if it came out publicly.
"A general concern I have with the IP Act is that almost every power it gives to the government comes along with a gagging clause (for both equipment interference and bulk equipment interference this is section 132). A person served with such a warrant who disclosed its existence would be subject to up to five years in prison.
"Secrecy requirements remove one of the important checks and balances against over-zealous interpretations of vague and possibly flawed legislation," he concluded.
Ken Munro, a security consultant at Pen Test Partners and an expert in IoT security issues, expressed similar gagging order concerns. "Even referring to the existence of a warrant could be an offence," he said.
Munro reckons that because of the fast-paced nature of security research it's likely that researchers, in many cases, will have already published their finding before intel agencies came a'knocking.
"The intention appears to be to gain information mainly in relation to overseas communications," Munro told El Reg. "Clearly GCHQ wants to bolster its armoury."
"I don’t really think this would work opportunistically in the sense described below – for example GCHQ etc would have to know that a researcher had found something in order to issue a warrant to keep them quiet. The researcher would likely have already published their research in order for GCHQ to find out about it. Stable door/horse bolted!"
A common route for co-ordinating disclosure is through a Computer Emergency Response Team, and the UK CERT is part of GCHQ, so the authorities might well get early wind of something hot.
Munro is far from sanguine about the issue. "There could indeed be a case for ‘press ganging’ a researcher under section 190 (2) (a) – would be interesting to see if this infringed their human rights though. I suspect it’s a case of unintended consequence," he added.
Peter Sommer, professor of digital forensics at Birmingham City University, and an expert witness who has assisted the court in numerous UK computer crime cases, explained that the provisions at issue related to computer hacking of telecoms kit - or bulk equipment interference, in the jargon of intel agencies. The warrant and its operational purposes must be declared to the Intelligence and Security Committee every three months. And the prime minister must review the operational purpose of the warrant every year.
"Section 190 of IPA relates to bulk equipment interference," Peter Sommer explained. "This part of the Act is limited to 'overseas-related communications' (s 176) though it also appears to cover UK-based equipment which is connected with 'overseas-related communications'."
"The warrant has to issued personally by the Secretary of State and approved by Judicial Commissioners. (ss 182 and 179). The warrant must state what the objectives - 'operational purpose' - of the exercise are - which presumably has to be more specific than 'You never know what may turn up, there are a lot of bad people out there' (s 183)."
The UK's surveillance law (IPA), even for those who worked hard over its draft, is still full of mysteries and obscurities. "I accept El Reg readers will have some scepticism but the requirement on the spooks to set out their reasoning will provide some controls)," said Peter Sommer.
The scenario where bulk equipment interference is in play would be one where major switches at overseas telcos and international corporations are compromised by software and / or hardware.
"It seems to me the security researcher only becomes vulnerable under s 190 once they are made aware of the existence of the warrant by having a copy served on them," Professor Sommer said. "Thus a general discovery of, say, a weakness or compromise of a Cisco switch, and its publication is not an offence. (How is the researcher to know who is the author of the weakness/compromise?)
"The authorities, having become aware that a researcher has made a discovery which is in fact part of a bulk equipment interference, would, I think, need to serve a copy of a warrant on the researcher. At that point compulsion to assist - and to conceal the fact of such compulsion - is triggered. But the requirement is to 'give effect to the warrant' not hand over all research.
"In practice I suspect the authorities will want to try to deal with the matter in a co-operative, consensual manner as this will be more productive; having arguments in court over precise interpretations would be unattractive," Sommer concluded.
Graham Smith, an IT and internet lawyer at Bird&Bird, said: "Despite the wording of S.190(2) (and similar 41(3), 126(2), 149(2)), the Act imposes duties to assist only on telecoms operators. 'Require' wording is similar to existing RIPA 11(2)." ®