The trend towards greater state surveillance has become even more obvious since Edward Snowden’s revelations. Governments frequently justify such invasions of their citizens’ privacy as counterterrorism or anti-pedophile measures. In recent weeks, two unmissable examples of state interference have been hurried through including an amendment to Rule 41 of the Federal Rules of Criminal Procedure in America and the Investigatory Powers Bill by Theresa May. Both laws permit or legalize massive invasions of privacy. Nobody is questioning the presence of a criminal threat – whatever it may be motivated by. However changes to legislation will weaken the security of many IT products which is already under heavy fire as demonstrated by current events such as the Google hack or attack on Telekom routers in Germany.
Rule 41, which came into force on December 1 in the United State, allows law enforcement or other government services to request a warrant for determining the location of individuals using any form of anonymization software such as Tor or even just a VPN. Federal Agents may use any necessary means to track users of anonymization software, including trojans. It is now also easier to obtain search warrants for access to data storage during an investigation involving several state jurisdictions.
To demonstrate and justify the need for changes to the law, the FBI cited the Playpen case where a Tor server operated by the FBI was used to track down pedophiles. While this was both a valid and successful use of this technology, the current amendments to legislation have unfortunately opened the door to misuse of snooping technology where individuals are simply using a form of anonymization to protect their privacy. Paradoxically just using the Tor Browser is enough to attract suspicion even though the US government has contributed significantly to funding the Tor project.
However, this measure pales in comparison to the plans of the British government. Theresa May, who is already known for her privacy threatening initiatives, has pushed through the most powerful surveillance legislation in Europe by far. The Investigatory Powers Bill has retrospectively legalized some of the more questionable activities of the intelligence services which were revealed by Edward Snowden and also permits even more far-reaching breaches of privacy. Now the British intelligence services can intercept communication data at will – even outside the UK. Data retention is also covered by the Investigatory Powers Bill which forces ISPs to keep customer data on record even without any cause for suspicion. If the intelligence services want to know more about specific customers, ISPs are obliged to help in intercepting and decrypting content. And in any case police and certain government agencies can now hack electronic devices without exception.
What this means in practice remains to be seen over the coming months. Either manufacturers will add backdoors into their products to comply with the government’s demands or vulnerabilities will no longer be made public and fixed but left open for clandestine use. That many hacks in recent years have been successful due to intentional backdoors or vulnerabilities which have not been patched is an indisputable fact which is well hidden by policy makers. If the US approach to anonymization software spreads to Europe, companies may even start to avoid using VPNs to encrypt their data for fear of attracting suspicion. Incidentally, British police have also been successful in their fight against encryption using more traditional methods: recently Scotland Yard officers followed a suspect until they made a telephone call with their iPhone and the officers intervened by seizing the unlocked device.