Draft Code Reveals That Security Services are Capable of Bypassing Encryption

While encryption is everywhere and is gaining importance for technology users around the world, Britain’s security services have recognized that they have the worldwide ability to bypass encryption used by internet companies by attacking the computers themselves. The Home Office released “draft equipment interference code of practice” on Friday, the regulations and safeguards of computer hacking outside of the UK by security services shown for the first time.

The draft code publication followed David Cameron’s speech last month where he took a stance against encryption and promised to ensure there was no “safe space” for terrorists or other criminals that could not be monitored by the security services, even with a ministerial warrant.

UK government issues first legal definition of computer hacking by spies

Space InternetCampaigners of privacy say the powers outlined in the draft provide the intelligence services the power to sweep content off of a computer or smartphone, track position with GPS, enable a smartphone’s camera or microphone and listen in and record phonecalls. The code sanctions hacked computers to “enable and facilitate surveillance activity”.

Eric King of Privacy International, said:

They hack their way, remove and substitute your hardware and software and enable intelligence collection by turning on your webcams and mice and shipping the data back to GCHQ at Cheltenham.

In addition to the other abilities, security services will be able to use computer network exploitation to identify, track and disrupt high-profile targets. Computer network exploitation or mass hacking, is the process of which computer networks are used to infiltrate a target’s computer network to extract and gather information. Computer network exploitation will allow intelligence services to break through and collect sensitive and confidential data that is mostly hidden and protected from the public. Intelligence services will be able to bypass the end-to-end encryption used by most Internet companies to protect customer communications after the Snowden disclosures of bulk internet surveillance. Privacy campaigners believe that this code is more intrusive than intercepting calls or emails because they are sweeping content that is meant to be private.

Carly Nyst, legal director of Privacy International, believes suggestions for making security services more accountable should be welcomed, stating:

However, GCHQ cannot legitimize their unlawful activities simply by publishing codes of conduct with no legislative force. In particular, the use by intelligence agencies of hacking – an incredibly invasive and intrusive form of surveillance – cannot be snuck in by the back door through the introduction of a code of conduct that has undergone neither parliamentary nor judicial scrutiny. It is surely no mistake that this code of conduct comes only days before GCHQ is due to argue the lawfulness of its hacking activities in court.

What do you think about the draft code publication?

Images from Shutterstock.

Drew is an undergraduate student at the University of Texas at Dallas, majoring in Business. He is an active member of the Cryptocurrency community, and enjoys Bitcoin, the decentralization of technology, and the rise of P2P applications.