The FBI's demand that Apple craft new software to bypass iOS's security protections has ignited a worldwide debate about a government's ability to force tech companies to sabotage their own security. One repeated question has been: will other countries, like China, demand the same powers?
You don't need to look to Beijing—or even the future—to find the answer to that question. The newly proposed British spying law, the Investigatory Powers Bill (IPB), already includes methods that would permit the British government to order companies like Apple to re-engineer their own technology, just as the FBI is demanding. Worse, if the law passes, each of these methods would be accompanied by a gag order. Not only would Apple be expected to comply, but the IPB would insist that Tim Cook could not tell the public what was going on without breaking UK law. At least in the current fight between Apple and the US government, we're having the debate out loud and in public.
IPB, One, Two, Three: Multiple Unchecked Hacking Powers
There's at least three parts of the IPB that could theoretically be used against Apple to compel it into undermining the company's own security technology.
First, the IPB would grant the UK the power to issue a “Technical Capability Notice" (S.189). a secret order that the UK would be able to serve on a telecommunications operator (which the bill currently defines so broadly it would include companies like Apple) to force it to "remov[e] electronic protection applied ... to any communications or data" and to "provide facilities or services of a specified description."
Second, the law would also grant the UK the power to issue a "National Security Notice" (S.188)—another secret instrument, even more vaguely drawn, that would require operators to "carry out any conduct, including the provision of services of facilities," which the British government "considers necessary in the interests of national security."
As Privacy International have noted, both of these instruments include gag orders that would prohibit Tim Cook from telling his customers what was happening.
Third, the new bill provides for "equipment interference"—the UK’s name for tailored access, or hacking in the popular sense of that term. It would allow the UK to break into private devices and insert new code for the purposes of surveillance or extracting data. Equipment interference orders include a requirement (S.101) that any communications provider (again, this includes Apple) take any "reasonably practicable" steps in effecting a hacking warrant. This requirement, like the other two notices above, is of course accompanied with a matching gag order (S.102), preventing providers from informing others. (We believe the gag could even preclude them from discussing the order with technical and legal advisors they might have.)
A Dangerous Template
EFF wrote at length in our submissions last year to British Parliament about the dangers of granting any state such an unchecked hacking power. One scenario in which we anticipated such power being misused was very similar to the current Apple predicament—i.e., a technology company being secretly forced to act as an agent of the UK government to undermine their own software. We highlighted how a company might be compelled to design an update that would undermine their own privacy protections:
Under the proposed law, a British company could be compelled to distribute an update in order to facilitate the execution of an equipment interference warrant, and ordered to refrain from notifying their customers... Such an update could be targeted at an individual, an organizsation, or many organizsations related to a single investigation... [B]ecause this software runs on end-user systems, there will always be a chance that such a targeted “back door” to private data would be revealed ... Such a revelation would effectively destroy a telecommunication provider’s reputation for protecting its end-users and the integrity of its systems: however, the request would be “reasonably practicable”, if practicable is defined merely as something that a company or individual can practically achieve.
The IPB is intended by its authors to apply extraterritorially—i.e., on persons and companies outside the UK. If Apple HQ refused to play along, the UK could impose penalties on the UK subsidiary of the company.
So it's true: the power that the FBI wants over Apple is also a power that the UK wants, too.
The bill's supporters expect other countries to line up for the same capabilities. Sir David Omand, GCHQ's former director, told Parliament that he saw the IPB as a "gold standard"—a model law that European countries and beyond would emulate. But a bill so empty of effective safeguards would be a dangerous template, as Apple itself predicted. The company's own submission to the IPB Parliamentary committee expressed concern with granting states the power to order “equipment interference”:
We believe the UK is the first national Government to attempt to provide a legislative basis for equipment interference. Consumer trust in the public and private sectors can benefit from a more concrete understanding of the framework in which these activities can take place. However, it could at the same time be undermined by a blurring of the boundaries of responsibilities, and the bill as it stands seems to threaten to extend responsibility for hacking from Government to the private sector.
Apple saw in the IPB’s provisions exactly what it now sees in the FBI's demands: the government asking it to undermine the trust of its own customers.
Establishing A Real Gold Standard: of Privacy and Respect for Human Rights
It's astounding that the IPB includes not one but three avenues for state-mandated hacking—and that each power is matched with an equally broad gag order. The bills' drafters claim that the limits of what the British authorities will or will not do will be defined in forthcoming codes of practice. But that's not enough. A code of practice is not hard law; it can be rewritten on the fly when the authorities single-handedly decide their own lines must be crossed. And authorities can exploit a high-profile event, like a terrorist attack, to do just that. Checks and balances need to be hard-coded into the legislation, not stored in an easily re-written addendum. The IPB needs to be taken back to the drawing board, and rewritten to limit these blanket powers—and to give companies and technologists a chance to speak up, and fight back.
In fact, rather than just rethink the IPB, UK lawmakers should take this as an urgent signal to more actively investigate what hacking acts GCHQ, law enforcement, and the UK military are already committing. Currently, there is a profound lack of transparency around what’s already going on. The IPB's advocates insist that the powers spelled out in the bill’s equipment interference provisions are "already available to law enforcement and the security and intelligence agencies" under previous general property interference powers. It seems that UK authorities already believe they have the legal authority to strong-arm companies and technologists into complying with orders like those wielded by the FBI in the Apple case. What kind of subterfuge is the British government already practicing or planning in this area?
The real "gold standard" would be to establish workable constraints on the hacking and coercion attempts by government agencies. The IPB instead lets the intelligence services and law enforcement community’s disregard for the norms of property ownership, privacy, and digital security poison British law—and legitimize such powers for the rest of the world.