Facebook, Google, Microsoft, Twitter and Yahoo Balk At UK's Investigatory Powers

Mark Wilson writes: The Investigatory Powers Bill may only be in draft form at the moment, but the UK government has already received criticism for its plans. Today, scores of pieces of written evidence, both for and against the proposals, have been published, including input from the Reform Government Surveillance (RGS) coalition. Five key members of the coalition are Facebook, Google, Microsoft, Twitter and Yahoo. In their written evidence, the quintet of tech companies express their concerns about the draft bill, seek clarification from the UK government, and issue warnings about the implications of such a bill. The evidence (document IPB0116) says that any surveillance undertaken by the government need to be 'targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent'. The coalition notes that many other countries are watching to see what the UK does.

stupid uk gov vs big bad corps. which is worse?

[sittingnut]

the curious thing about uk bill is that is is explicit in its intrusive powers. western govs, in past and at present, have been getting these same companies to do what they want without such explicit powers.
they makes a fuss only when all these are publicly exposed. but are quite corporative privately.

Re:stupid uk gov vs big bad corps. which is worse?

[Opportunist]

My guess is that the bill would let the UK demand user data, which is what the five would rather want to sell than to give out for free.

Re:

[thegarbz]

You know what, I'd be happier with someone monetizing my information and giving me something in return than someone else taking it for the sole purpose of oppressing the public and then charging them through the taxation system in the process.

Re:stupid uk gov vs big bad corps. which is worse?

[AmiMoJo]

The problem with the UK system of government is that once a party gets a majority they can pretty much do what they like, and so there isn't really much to stop them just grabbing whatever powers and data they want now. Plus, it is likely that they are using the usual tactic of asking for extreme powers and then "compromising" on the only slightly milder powers they really wanted. Hay, look, they are listening to our concerns!

The written submissions [parliament.uk] are interesting reading. For example, Trading Standards wants access to enforce trade marks. They want the ability to sift through your metadata to enforce commercial trademarks. This is just to start with, we haven't even had the mission creep yet, and they want to use this hugely invasive tool that other oppressive regimes can only dream about for the relatively mundane purpose of enforcing commercial trade marks. Not paedophiles, not terrorists, companies using branding without permission.

Then they ask if it is really necessary to have judicial review of Trading Standard's requests, because hay they can monitor themselves for abuse and save a bit of time and money. Oh, and anyone who doesn't cooperate should go to jail, because this is Trading Standards, those trade marks are life or death!

It gets worse from there. The Police Chief's council [parliament.uk] is concerned that hacking will be limited to serious cases only. Even ignoring the flimsy justification, it's a really, really stupid idea because the more police malware is used the easier it will become to get samples, detect and block it. I somehow doubt that foreign anti-virus companies are going to add exceptions for the UK police to target the phones of people posting revenge porn.

Naturally they are worried that the retention term might be reduced from 12 months too, because they prefer to record things forever, e.g. their vast DNA database.

The CPS claims that evidence acquired by hacking will be usable in prosecutions. This is rather worrying. Once a device or computer has been hacked it will be extremely easy to plant evidence on it. The accused will find themselves in the position of having to pay for independent experts to give evidence that the prosecution could have planted incriminating files or metadata, or just written their own log files. They must be planning ways to get around people claiming that they were framed when hacked evidence is used, which is extremely alarming.

The Local Government Association simply lies in their submission. They point out that under existing legislation only 19 out of 6000 data access requests were rejected by courts, but of course don't mention that many of those granted were later found out to be abuses or unwanted mission creep.

Basically government agencies are rubbing their hands with glee at the thought of being able to pry into people's lives, while everyone else is extremely alarmed and vowing to resist.

Re:

[Anonymous Coward]

Your description of the United Kingdom's system of government is inaccurate. The majority can't simple "grab whatever powers" it wants. Great Britain has laws and the equivalent of a Constitution (it doesn't exist as a single document, but the equivalent of it exists). The main advantage of having the majority appoint the leader is that they don't have gridlock -- in other words, the elected leadership can actually govern.

But all of that is irrelevant because, just like in the US, these spying powers have w

Re:

[whoever57]

The idea was that the Lords would keep the Commons in check, unfortunately, the Lords voted themselves into irrelevance a few years ago.

Re:stupid uk gov vs big bad corps. which is worse?

[IamTheRealMike]

Were quite cooperative. Not any more.

Years ago, companies like Facebook and Google had fairly cordial relationships with police departments around the western world. If a government came and said we need access to account X because we think it's engaged in child porn or terrorism, the companies asked them to fill out the right paperwork and then got on it. Sometimes they'd even tip governments off, if they spotted someone doing stuff that was clearly criminal. It wasn't really an adversarial relationship. There was an assumption of good faith on both sides. The UK was especially dependent on this kind of relationship because it has comparatively little influence over these companies, none of whom have major engineering centers or fixed assets there (the London development offices of Google and Facebook only got reasonably big very recently indeed and neither are critical to the firms).

That all changed post Snowden. You can read about this change in UK newspapers. Post Snowden these companies stopped assuming good faith and started doing everything they could to slow things down, because they were understandably upset that governments had been secretly hacking their systems and intercepting their fibre connections. Google in particular encrypted all the inter-datacenter traffic that GCHQ had been intercepting, which made the intelligence agencies dramatically less useful, as so much of the data they wanted was hosted there. Whereas previously these firms might have not worried too much if the i's and t's weren't dotted and crossed, now they insisted on it as a matter of principle. They started challenging everything automatically. Most seriously of all they started saying "the data for this account is under the control of our US subsidiary so you need to get an MLAT to access it". An MLAT is a Mutual Legal Assistance Treaty and is a process for one country to formally request legal help from another. The MLAT process is extremely slow and bureaucratic so Silicon Valley's newfound insistence that it always be used effectively put a halt to most of the snooping that the UK had been doing.

So now the UK wants their old powers back. What they REALLY want, of course, is for Google/Facebook/Yahoo/Apple to decrypt their wires and devices so GCHQ can go back to snaffling all of it. They know they probably can't get that though, but an automatic "we say jump, you say how high" process with no safeguards and no mutual legal assistance treaties is the next best thing.

The risk here, for the UK, is that the UK needs Silicon Valley more than SV needs the UK. It'd be very easy for Google, Facebook, Twitter etc to simply shut down their offices in London and offer the engineers a relocation package. The sales staff can be rehired elsewhere. They'd rather not do this as it'd be disruptive, but nothing in their business requires a presence in London. It's not like most companies where they have factories and other immovable assets. Google can sell services into the UK from Ireland just fine and did so for years. If the UK pushes these companies too hard there's a risk they'll simply leave. UK isn't going to block these websites. It's clear from comments by Tim Cook especially that this isn't some abstract business decision for these firms, the CEOs see it as a moral issue. Now the Twitter CEO went back to being Dorsey it's possible he'll see things the same way too. Not sure about Facebook but the cultures are fairly similar.

Balance of power

[spiritplumber]

At this point if the UK government annoyed Facebook+Google+Twitter+Microsoft+Yahoo into withdrawing their services from the country, it would damage the government more than it would damage those companies -- the government would blink first.

Re:

[sumdumass]

Nah. The government wouldn't blink at all. They didn't in China. BlackBerry got a government to blink though. But none of them pulled out of China and even have a history of sticking around like with the right to be forgotten crap.

The UK is just to big of a market for them to drop.

Re:Balance of power

[Required Snark]

So now the UK and People's Republic of China are on the same page when it comes to surveillance. They both want 24/7 access to all information on anyone or any organization. It makes you wonder how similar they are on other aspects of power and control.

Of course, here in the US it's actually worse. They go to great lengths to spy on everyone and they don't bother with pesky issues like the constitution or the rule of law. They just do what they want to do and get all the money they need to do it without any debate or oversight. And they lie their teeth out over what they do. I bet the PRC is jealous.

Re:

[wyHunter]

Don't forget the USA. We're #1!

Re:

[thegarbz]

Nah. The government wouldn't blink at all. They didn't in China.

The "please vote for us" form of government reacts to such things very differently to the "shut-up peasant!" form of government.

Re:

[e r]

The only way to get the former instead of the latter is for the citizens to have weapons. Otherwise, if the government is the only armed entity, there's no way to make them respect the laws that constrain them (the constitution).

Buy guns. Get all your friends to buy guns. Be an honest, careful, and responsible citizen. But buy guns.

Re:

[thegarbz]

The only way to get the former instead of the latter is for the citizens to have weapons.

Yeah because your government is a shining example of democracy for the rest to follow. Which makes me wonder if you all believe in your bullshit then why hasn't anyone risen up against your government yet. I mean they are shitting on your constitution as fast as their dietary fibre will push, but you have a gun so you're clearly in control.

Grow up. This isn't directed at you. It's directed at 319 million of my fellow people living on this planet.

Re:

[sumdumass]

If the please vote for us government isn't worried about openly spying on citizens i doubt a couple companies threatening to pull out would scare them. The issue can be spun as they are enabling the bad guys and support them which is obvious by not letting government monitor and catch them.

But it won't come to that. The market is just to big and profitable for the companies to abandon so outside of making noise, it won't come to it. Just like with China and the government knows this.

Re:

[91degrees]

The shareholders would blink first. The chairman would be replaced about 30 seconds after suggesting doing something so reckless.

Re:

[Jahta]

The shareholders would blink first. The chairman would be replaced about 30 seconds after suggesting doing something so reckless.

Not necessarily. At the moment the companies have generic products they can offer worldwide. If the UK manages to establish a precedent for getting special treatment, then other countries will be quick to produce their own wish lists. That means a lot of extra cost (and lower profit) when they could simply pull out of the UK and keep offering services to UK residents from beyond the British legal jurisdiction.

The UK will hold a referendum later this year on whether or not to remain in the EU. A lot of bi

Re:Balance of power

[greenfruitsalad]

UK is a BIG english-speaking market, where people buy more goods online than in any other country in the world ( http://www.telegraph.co.uk/new... [telegraph.co.uk] ). right now, these companies are just trying to save faces before they start applying lubricant to all orifices. by the time UK government says "bend over", they'll be waiting in line with pants around their ankles.

Re:

[serviscope_minor]

UK is a BIG english-speaking market, where people buy more goods online than in any other country in the world

The inter-EU trading rules are such that business within the EU is supposed to be very easy. I wonder as a thought experiment, what if they (say) operated the UK business entirely from nearby European countries. They presumably would not be bound by UK law, since they're not operating from there.

I wonder what the costs of decamping would be, and how infeasible it is. Amazon certainly managed just fi

Re:

[IamTheRealMike]

what if they (say) operated the UK business entirely from nearby European countries. They presumably would not be bound by UK law, since they're not operating from there.

They effectively do. Google and Facebook sell to the whole of the EU from Ireland, not the UK. The only presence these companies have in the UK is offices in London and (I think for Google) Cambridge. So, some employees, basically. But that's optional. They could fire all of them and continue selling ads into the UK without issue.

Re:

[whoever57]

For tax filings Google and Facebook sell to the whole of the EU from Ireland, not the UK.

FTFY

Google has employs plenty of people in the UK with job titles that include "sales". That the "sales" take place in Ireland is merely the way it is reported for tax purposes.

Re:

[Anonymous Cow Ward]

UK is a BIG english-speaking market, where people buy more goods online than in any other country in the world ( http://www.telegraph.co.uk/new... [telegraph.co.uk] ).

Your statement is inaccurate. What your source says is that a higher proportion of Britons buy things online than any other OECD country, but the UK does not buy more goods online than any other country. Per capita, possibly (although the graph didn't show amount spent, only proportion who bought anything), but the US still spends far more as a whole. Furthermore, these five companies - with the exception of Microsoft - don't really sell much *to* people. They'd lose money pulling out of the UK, certainly,

Here, let me fix that last quote

[93 Escort Wagon]

"... many other countries are watching to see what the UK can get away with."

Hate the uk

[liqu1d]

Although I'm born and bred here I cannot stand the utter lunacy display by the governments. They seem complete Luddites. Any criminals caught by such sweeping powers will be nothing more than token victories. This will do absolutely nothing to touch the ones whom we should worry about. They're supposed to be our leaders not our oppressors.

Re:

[e r]

Considering that the citizens of the UK aren't armed there's no reason for the government to respect them. Oh, you don't like it? What are you going to do about it, vote? Don't be ridiculous. What proof do you have that the vote isn't rigged? Even if it isn't rigged why should they respect the vote? Again: the citizens can't do jack shit if they can't force the government to obey. If the citizens aren't armed how can they force anything?

Wait for the first CEO

[Anonymous Coward]

... members of the coalition are Facebook, Google, Microsoft, Twitter and Yahoo.

Normally, the government can wait for the first CEO to stick his neck out, then make an example of him. But pissing-off 5 corporations at once can easily put the UK government under cross-hairs. Normally, government rules are just the cost of doing business but no business can tolerate what is essentially government-sanctioned stealing of their property. These multinational corporations can run a smear campaign at the next election but the new masters will probably want to indulge in the same grand larce

End-To-End Encrytion is the Issue

[jaa101]

The big issue with the law is that it seems to be banning end-to-end encryption. Right now, when the FBI comes to Apple and says "give us this person's iMessages in clear text" Apple can just respond "we made it so that we have no way to comply". Apple likes it that way, mostly because customers hate being spied on so it's a selling point. The UK is ramping up to say "make it so you can comply in future or else big fines and gaol". And it's going to be hard for Apple to do this just for the UK. You can bet the UK is going to be of the view that they need to be able to see the comms of foreign citizens on UK soil, and of UK citizens overseas. It's just like how California car emission laws have consequences for the whole of the US. In this case a UK law could outlaw strong encryption for ordinary consumers in the whole developed world.

Re:

[johanw]

And then what? There is a lot of free open-source e2e encryption software where no payment processors can be put under pressure. If the UK government demands backdoors from GnuPG, Signal or SMSSecure and they respond with "nuts", there is nothing the UK government can do. They could try to block Signal but that would probably result in them finally making work of a decentralized server setup.

Re:

[110010001000]

The thing is: no one (less than 1%) uses the free e2e encryption software. People use iMessage, Gmail, etc. So you are hitting 99% of the population.

Re:

[aethelrick]

I just read the draft bill... they don't seem to be demanding back-doors to anything, in fact they seem to be saying that they are interested in understanding connection logs rather than communication content. i.e. they want to see something like an itemized phone bill showing who called who, when and for how long. This applies to email and IM as well and also they want to see a big list of sites you visited and when.

I personally object to any information like this being gathered in bulk. I'm less bothered

Re:

[BitterOak]

And then what? There is a lot of free open-source e2e encryption software where no payment processors can be put under pressure. If the UK government demands backdoors from GnuPG, Signal or SMSSecure and they respond with "nuts", there is nothing the UK government can do. They could try to block Signal but that would probably result in them finally making work of a decentralized server setup.

The key word here software. Yes, there is lots of free open source e2e encryption software, but that doesn't do you a bit of good if your hardware has backdoors! Once they have a backdoor in your hardware, keyloggers can get your passphrases and memory scans can get your encryption keys. Secure software is useless on insecure hardware or insecure operating systems, and that's what this debate is all about: hardware and operating systems.

Bulk data collection is the big issue

[Anonymous Coward]

Banning end to end encryption is just one small effect. Small because most of them don't offer end to end encryption anyway for most of their products.

The big fat issue here is bulk data collection.

The judiciary in this brave new world, no longer approve individual warrants for individual searches, they approve classes of warrant for a bulk data feed. Similar to the crap the FISA court has been up to.

So instead of approving a warrant for "Abdul and people who communicated with Abdul", they propose that a ju

Re:

[AHuxley]

Privacy and anonymity is very hard to recover. Privacy is captured as a plain text message is entered and before it is encrypted at any consumer software level.
Anonymity on average is difficult given every internet connection and cell phone is "networked" back to some company that has to know who is using and paying for network access.
The UK"s telecommunications laws and expectations over the digital generation where formulated from the GCHQ's experiences in Ireland. Every call domestically and in/out o

Re:

[aethelrick]

Firstly I'd like to go on record and say, I value my privacy and I advocate against the government having the power to bulk-snoop on the country because their bound to upload their findings to a notebook and leave it on a train or something equally stupid. I also appreciate that being able to conduct warranted surveillance of known (or at least reasonably suspected) criminals in order to bring them to justice is a useful tool for our law enforcement agency.

However, regarding your assertion that the law "see

Why did UK politicians even comment?

[AHuxley]

The UK gov and mil has had total control over all communications systems since 1914.
From the Defence of the Realm Act 1914 https://en.wikipedia.org/wiki/... [wikipedia.org] to every phone line domestically and in and out of Ireland to all calls on Intelsat via CSO Morwenstow/GCHQ Bude.
The ability to collect all and then use parallel construction over the decades was never really fully worked out by the press, lawyers, human rights campaigners, tech experts or academics.

All MI5/6 and the GCHQ had to do in closed courts was to ensure a protected "witness" could be presented to confirm what "collect it all" had originally found.
Legal experts would assume someone had been turned and offer immunity or a deal. Few in public really understood the collaboration between the US, UK tech sectors, academics and the UK gov over decades.
All the UK political experts should have said was that VPN, US consumer grade cryptography, onion routing was a complex issue that the government was spending money on trying to understand over time.

Generations of interesting people would have continued to be fooled into using fully tracked VPN services, gov malware ready cell phones, tracked telecommunications products, junk consumer grade encryption, IP reporting onion routing applications. All networking would have been under full UK gov observation with only hints that sock puppets could have been used to counter.

Projects like Tempora https://en.wikipedia.org/wiki/... [wikipedia.org] would have given the UK the world if UK politics would have just been more vague about global collection.
Why did the UK intelligence services even allow UK political talking points to the formulated and talked about on topics like trapdoors, backdoors, new gov keys to all UK encryption?
Academics and software developers to help to trapdoor crypto by design and sharing of extra keys with the UK gov?

Now everyone knows "Designed in the UK" is code for the UK gov and mil listening in by default over all generations of UK products and brands.
Local manufacture is now synonymous with hardware tracking and default backdoors out of the box.
If only decades of clever policy surrounding crypto ambiguity had been allowed to continue.

Re:

[nukenerd]

'targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent'.

2. lawful, we're passing the law right now

Being from the UK I did not understand that point. If it is introduced as a new law, then anything done under it will be lawful by definition. These companies are USA based and don't seem to realise that there is no higher law in the UK; for better or worse there is no equivalent to the US Constitution. It would have been better if they had left that point out as it only reveals misunderstanding of the way UK law works, raising the question of how they are qualified to comment.

Re:

[wyHunter]

And our fourth amendment in the USA prevents it too - but it still happens.

Please provide links

[MrKaos]

Would it be possible to provide a link to the draft bill in these stories please?

Re:

[AHuxley]

http://www.parliament.uk/busin... [parliament.uk] is the background.
UK mass surveillance 'totalitarian' and will 'cost lives', warns ex-NSA tech boss (06 Jan 16 )
http://www.wired.co.uk/news/ar... [wired.co.uk] has some more background with the pdf:
Re link to the draft bill https://www.gov.uk/government/... [www.gov.uk]

Re:

[MrKaos]

Thank you!