UK spies: You know how we said bulk device hacking would be used sparingly? Well, things have 'evolved'...

Admit they are upping their use of mass snooping

By Rebecca Hill


UK spies are planning to increase their use of bulk equipment interference, as the range of encrypted hardware and software applications they can't tap into increases.

Equipment interference (EI) – formerly known as computer network exploitation – is the phrase used for spies poking around in devices, like phones or computers, and media like USB sticks.

UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor


It allows them to gather up info they claim would otherwise be "lost" as it can't be obtained other ways – crucially, it means they can access encrypted data they cannot grab via the more traditional route of interception.

At the time the Investigatory Powers Bill was passing through Parliament – it was signed into law in 2016 – EI hadn't been used, but it was already seen an alternative to bulk interception.

However, it was expected to be authorised through targeted or targeted thematic warrants; as then-independent reviewer of terrorism David Anderson wrote at the time, "bulk EI is likely to be only sparingly used".

Since then, though, GCHQ's use of these bulk powers has "evolved", according to a letter (PDF) to members of parliament’s Intelligence and Security Committee, by security minister Ben Wallace.

During the passage of the Investigatory Powers legislation, he said, the government anticipated bulk EI warrants would be "the exception", and "be limited to overseas 'discovery' based EI operations".

But with encryption increasingly commonplace, the spies want the exception to edge towards becoming the rule.

"Since the passage of the Bill, the communications environment has continued to evolve, particularly in terms of the range of hardware devices and software applications which need to be targeted," Wallace said.

"In addition, the deployment of less traditional devices, and usage of these technologies by individuals of interest has advanced significantly."

Wallace said GCHQ had reviewed "current operational and technical realities" and "revisited" its previous position.

"It will be necessary to conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged," he said.

This was predicted by David Anderson, QC in his 2016 report (PDF), as he acknowledged that the logic of bulk interception could apply to bulk EI.

"There will be foreign-focused cases where there is significant value to be gained, operationally, from it - but in which it won’t be possible to make a sufficiently precise assessment to proceed on the basis of the thematic EI power," he said.

Anderson added that bulk EI would require "particularly rigorous and technically-informed oversight" from both the secretary of state and the judicial commissioners who form the other part of the recently introduced "double lock" mechanism.

Wallace said in his letter that the government had told the Investigatory Powers Commissioner, Adrian Fulford, about the proposals, and that Fulford "has proposed enhanced post facto safeguards for this activity".

Writing on Twitter today, Anderson praised GCHQ's transparency on the matter, but added that IPCO would need to investigate in more detail.

Others countered that it suggested there were major concerns about the legality of the new practices.

Wallace's letter insisted the interpretation was "fully in line" with the IP Act and the EI Code of Practice, and that the judicial double lock process would apply the additional controls and safeguards of the regime. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

It's a bird! It's a plane! No, it's two-dozen government surveillance balloons over America

Back at base, bugs in the software. Flash the message, 'Something's out there'... Floating in the summer sky, 99 Fed balloons go by

Human-rights warriors crack on with legal challenge to UK's lax surveillance laws

Toughen it up and reduce all that warrantless state surveillance, demands Liberty

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

Bulk surveillance is always bad, say human rights orgs appealing against top Euro court

Liberty and pals seek to prove intrusive spy powers can never be justified told: If you want public to trust surveillance cam strategy, throw money and manpower at it

Commish laments 'illogical' limitation on code compliance

We are shocked to learn oppressive authoritarian surveillance state China injects spyware into foreigners' smartphones

Border cops accused of loading tourists' mobiles up with snoop app in Muslim area

Defense against the Darknet, or how to accessorize to defeat video surveillance

Boffins from Belgium break people recognition software with a colorful placard

Who watches Sony's watcher? Boffins poke holes in surveillance kit

Command injection and stack buffer overflow flaws bedevil cam range

'It’s not a surveillance program'... US govt isn't going all Beijing on us with border face-recog, official tells Congress

Lawmakers told: 'We don’t run the scans against any other databases'

MI5 slapped on the wrist for 'serious' surveillance data breach

Auditors poked around for a week after too many Peeping Toms had a trawl