Security

UK spies: You know how we said bulk device hacking would be used sparingly? Well, things have 'evolved'...

Admit they are upping their use of mass snooping

By Rebecca Hill

59 SHARE

UK spies are planning to increase their use of bulk equipment interference, as the range of encrypted hardware and software applications they can't tap into increases.

Equipment interference (EI) – formerly known as computer network exploitation – is the phrase used for spies poking around in devices, like phones or computers, and media like USB sticks.

UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor

READ MORE

It allows them to gather up info they claim would otherwise be "lost" as it can't be obtained other ways – crucially, it means they can access encrypted data they cannot grab via the more traditional route of interception.

At the time the Investigatory Powers Bill was passing through Parliament – it was signed into law in 2016 – EI hadn't been used, but it was already seen an alternative to bulk interception.

However, it was expected to be authorised through targeted or targeted thematic warrants; as then-independent reviewer of terrorism David Anderson wrote at the time, "bulk EI is likely to be only sparingly used".

Since then, though, GCHQ's use of these bulk powers has "evolved", according to a letter (PDF) to members of parliament’s Intelligence and Security Committee, by security minister Ben Wallace.

During the passage of the Investigatory Powers legislation, he said, the government anticipated bulk EI warrants would be "the exception", and "be limited to overseas 'discovery' based EI operations".

But with encryption increasingly commonplace, the spies want the exception to edge towards becoming the rule.

"Since the passage of the Bill, the communications environment has continued to evolve, particularly in terms of the range of hardware devices and software applications which need to be targeted," Wallace said.

"In addition, the deployment of less traditional devices, and usage of these technologies by individuals of interest has advanced significantly."

Wallace said GCHQ had reviewed "current operational and technical realities" and "revisited" its previous position.

"It will be necessary to conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged," he said.

This was predicted by David Anderson, QC in his 2016 report (PDF), as he acknowledged that the logic of bulk interception could apply to bulk EI.

"There will be foreign-focused cases where there is significant value to be gained, operationally, from it - but in which it won’t be possible to make a sufficiently precise assessment to proceed on the basis of the thematic EI power," he said.

Anderson added that bulk EI would require "particularly rigorous and technically-informed oversight" from both the secretary of state and the judicial commissioners who form the other part of the recently introduced "double lock" mechanism.

Wallace said in his letter that the government had told the Investigatory Powers Commissioner, Adrian Fulford, about the proposals, and that Fulford "has proposed enhanced post facto safeguards for this activity".

Writing on Twitter today, Anderson praised GCHQ's transparency on the matter, but added that IPCO would need to investigate in more detail.

Others countered that it suggested there were major concerns about the legality of the new practices.

Wallace's letter insisted the interpretation was "fully in line" with the IP Act and the EI Code of Practice, and that the judicial double lock process would apply the additional controls and safeguards of the regime. ®

Sign up to our NewsletterGet IT in your inbox daily

59 Comments

More from The Register

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

Bulk surveillance is always bad, say human rights orgs appealing against top Euro court

Liberty and pals seek to prove intrusive spy powers can never be justified

UK.gov told: If you want public to trust surveillance cam strategy, throw money and manpower at it

Commish laments 'illogical' limitation on code compliance

Defense against the Darknet, or how to accessorize to defeat video surveillance

Boffins from Belgium break people recognition software with a colorful placard

Who watches Sony's watcher? Boffins poke holes in surveillance kit

Command injection and stack buffer overflow flaws bedevil cam range

MI5 slapped on the wrist for 'serious' surveillance data breach

Auditors poked around for a week after too many Peeping Toms had a trawl

US told to quit sharing data with human rights-violating surveillance regime. Which one, you ask? That'd be the UK

Nonprofits urge Congress not to sign deal under CLOUD Act

Activists raise alarm over insidious creep of surveillance in the UK

Report calls for government data 'firewall', spy-free schools, up-to-date laws

Drone 'swarm' buzzed off FBI surveillance bods, says tech bloke

UAV arms race with drug lords is upon us

UK is 'not a surveillance state' insists minister defending police face recog tech

Creepycams are fine. Public just needs to trust us... I mean them, I mean private firms