Proposals in the Investigatory Powers Bill to legitimise ‘bulk equipment interference' will put technology firms operating in the UK at risk, according to Eric King, signals intelligence expert and deputy director at Privacy International.
"We need to understand that to undertake equipment interference, our agencies are threatening British cyber security," he said in a statement during a Joint Select Committee set up to scrutinise the surveillance bill.
"[UK spy agencies] regularly hack companies in Europe and elsewhere that are not a national security threat in and of themselves. In recent years we have found out that GCHQ hacked Belgium's largest telecoms provider, Belgacom.
"They have also hacked a Dutch telecom. They have hacked [German satellite communication provider] Stellar. The list goes on and on. In doing so they are painting targets on British companies' backs in exactly the same way and legitimising these kinds of attacks."
King warned that bulk equipment interference, or hacking as it's commonly known, could limit the effectiveness of police investigations.
"One of the problems that I haven't had an answer about from the police or the Home Office is how we [ensure] that deploying equipment interference will not compromise evidence that the police might later wish to seize and rely on in court," he said.
"It seems counterproductive that in some circumstances this could result in criminals getting off the hook. Given the intrusive [powers] that equipment interference could provide law enforcement we should be treating it with extraordinary scepticism."
King added that the stockpiling of zero-day vulnerabilities by agencies like GCHQ and the US National Security Agency, revealed by Edward Snowden in 2013, should also be scrutinised.
"By using vulnerabilities in networks that they have acquired themselves, but are refusing to tell the world about, they are reducing the security that we collectively experience," he said.
"The stockpiling of these vulnerabilities and zero-days is something that isn't considered in this bill, and policies need to be very carefully set out about before any consideration is made about [such] powers."
Intelligence sharing concerns
Rachel Logan, a law and human rights programme director at Amnesty International, told the scrutiny committee that the bill needs to clarify how countries share data gathered from surveillance.
Logan explained that Amnesty is "very disappointed" with the proposals and would like to see a "clear and accessible framework" for how material is sent and received across the globe.
"In the bill we have very little [information about] overseas arrangements. For instance, Section 39 provides for that activity but simply talks about lawful interception being something carried out in response to a request made in accordance with a ‘relevant international agreement'," she said.
This agreement between nations, including the 'Five Eyes' countries of Australia, Canada, New Zealand, the UK and the US, is vague at best, according to Logan.
"All we have in the bill is a bare reference to a 'forthcoming' code of practice that will deal with the making of requests [for] intercepted material. [There are] no definitions of what any of this might be, [and] no expansion of what any of this might mean," she said.
"We had very much expected this bill, in the spirit of transparency, to provide a clear legal framework, and those references simply do not do that. How can Parliament provide a proper scrutiny? How can the oversight bodies provide a proper scrutiny? How can the public understand where their information might end up? There is simply nothing there and that's very disappointing."
Amnesty has brought a number of legal cases against the UK government and intelligence agencies over the past 18 months and continues to argue its case at the Investigatory Powers Tribunal. The group found out in July that GCHQ had intercepted, accessed and stored the communications of Amnesty staff.
A Christmas wish-list
Erka Koivunen, a cyber security advisor at F-Secure, likened the bill to a GCHQ Christmas wish-list when giving evidence to the committee.
"[The bill] is transparent in a way because it lays out the intentions of the government. So I guess this is a bill that you would get if you asked signals intelligence organisations what they would like as a Christmas present. They would reply 'this bill' and say they want it in bulk," he said.
Koivunen warned that such a broad bill could create unforeseen problems. "The powers that are laid out in the bill could be misused, and this is going to lead other nation states to try to mimic those powers," he told the committee.
"If there was ever a question about whether nation states, governments or military organisations would engage in hacking or computer intrusions I guess this bill now solidly states that, yes, this is what they do and this is what the UK government is actively seeking to do.
"Frankly, I think this is something that has been going on for quite a while now, so this is an attempt to put the existing situation in writing."
A number of major technology firms and privacy groups have criticised key components of the proposals. Most recently, Apple called on the UK government to modify its stance on encryption.
"The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers," the firm said in a written statement.
"The best minds in the world cannot rewrite the laws of mathematics. Any process that weakens the mathematical models that protect user data will, by extension, weaken the protection."
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal