Internet-connected toys, cars, TVs and other smart devices of the rapidly expanding Internet of Things (IoT) bring up a host of privacy concerns, as more data is created and shared across the internet from “things” that lack basic security.
What if these poorly-secured devices were exploited by the government to spy on our activities and communications?
That rather uncomfortable question has an even more worrisome answer – surveillance through IoT devices is not only possible, it’s possibly already happening.
Proposals in the draft Investigatory Powers Bill, a sweeping piece of surveillance legislation being debated in UK Parliament, would put a legal stamp of approval on government hacking of computers and other devices in criminal and terrorism investigations.
The UK government calls this kind of hacking “equipment interference” (EI).
British intelligence agencies GCHQ and MI5 and even domestic law enforcement have already been hacking suspects’ devices (with a warrant), but the Investigatory Powers Bill would put the practice on “firmer legal footing,” as the BBC puts it.
A recent court case in the UK revealed that GCHQ, alongside the NSA, have used malware to hack into devices, including to access devices’ cameras to peek at webcam chats.
In the US, the FBI has also admitted recently to using zero-day vulnerabilities to hack into devices.
It’s not just computers and smartphones the government could hack – IoT devices could become avenues for surveillance too, a technology industry expert told Members of Parliament (MPs) of the Commons science and technology committee.
Antony Walker, deputy CEO of the technology industry group TechUK, warned that those powers could be used by law enforcement to hack into any kind of “smart” connected device, including children’s toys:
A range of devices that have been in the news recently, in relation to a hack, are children's toys, that children can interact with. These are devices that may sit in a child's bedroom but are accessible. In theory, the manufacturer of those products could be the subject of a warrant to enable equipment interference with those devices. So the potential extent, I think, is something that needs to be carefully considered.
The draft legislation includes some safeguards against abuse and checks on government powers, such as the requirement of a warrant that is limited to six months and which are overseen by the Investigatory Powers Commission.
A fact sheet about EI put out by Home Secretary Theresa May says the warrants must make clear the “necessity and proportionality of the action being taken,” and calls the process for approving warrants “double-lock authorization,” because warrants must be issued by a Secretary of State or a Chief Constable and then approved by a Judicial Commissioner.
But critics of the legislation say those protections against government overreach are inadequate.
According to the Center for Democracy & Technology (CDT), the double-lock system would be “severely undermined” by lack of independence of the Judicial Commissioners, and by “procedural flaws” that would “place a heavy thumb on the scale in favor of surveillance.”
CDT said the Judicial Commissioners would be appointed solely by the Prime Minister, without input from Parliament, so the governing party could easily appoint only commissioners sympathetic to its own agenda for surveillance.
The Judicial Commissioners would not have access to all of the evidence in determining the validity of the warrants, and neither would they have a role in approving other controversial powers under the Investigatory Powers Bill including data retention and targeted surveillance of metadata.
In “urgent” situations, the Home Secretary and other authorities could conduct surveillance for up to five working days before getting approval from the commission, and even if the commission decided not to issue a warrant (retroactively), the data collected would not have to be destroyed.
These limitations mean the Investigatory Powers Commission would “not be capable of preventing abusive surveillance practices,” CDT said.
Other provisions in the draft bill, such as required retention of internet users’ web browsing history by ISPs for 12 months, have drawn sharp criticism from privacy advocates and technology companies.
The draft bill would also require communications service providers (CSPs) to retain metadata on internet connections, although the draft language is sufficiently vague that it could be difficult to differentiate between data about how communications are delivered and the content delivered.
Sophos was among the UK-based technology companies asked to provide evidence during a session last month for the Science and Technology Committee’s review of the draft bill.
John Shaw, Sophos vice president of product management, told Parliament that among his concerns was how the data retained by service providers would be protected from potential attackers, who could glean very vital private information from what websites people have connected to, such as what bank they use:
You end up having to keep an awful lot of the data, even if you are not keeping the content, and that data can be very meaningful for someone wanting to use it for nefarious purposes; for example, which bank someone uses would be very obvious. There is a lot of data in the way in which web communication would happen that gives you a bunch of clues as to the content going in there and it is very hard to separate those things. There are a lot of concerns about that.