I've just sent this email to my MP. Hopefully it will make a difference. I've asked for permission to post her reply.
---------------------------
Dear Ms Fernandes,
I am a resident of [redacted]. My address is [redacted]. I am writing to you a second time about the proposed
Investigatory Powers Bill. I wrote to you about this on 5th November
2015 urging you to try to mitigate the worst aspects of this bill, and
now I am writing to urge you to vote against this bill when it comes to
Parliament.
I am deeply concerned about the powers that this bill would give to the
Home Secretary. However in order to keep this email reasonably short I
will concentrate on one particularly dangerous power.
If this bill becomes law then the Home Secretary would be able to order
any "communications company" (the term could mean anyone involved in
providing software or equipment that enables communication) to install
any surveillance feature the Home Secretary wishes. The recipient of
this order would be unable to appeal against it, and would be prevented
from revealing the existence of the order. There is no sunset time on
this gag clause: it will last as long as the Home Secretary and the
security services wish to maintain it.
It is true that these orders will also have to be signed off by a judge,
but that will only verify that the order complies with whatever
procedures are in place at the time. Furthermore these judges will only
ever hear one point of view on the reasonableness and proportionality of
the orders, and this can only result in the erosion of these safeguards
over time.
I want to illustrate the danger of this power to weaken security by
showing how it would impact a common method of selecting encryption keys
called Diffie-Hellman Key Exchange. This method is used by web browsers
and email programs whenever they make a secure connection (e.g. to web
addresses starting "https"). It is also used by "Virtual Private
Networks" (VPNs) which are widely used by businesses to allow employees
to work remotely, and I expect that Parliament has one to allow MPs to
access their email. You may even be using it to read this.
I want to show that any attempt to intercept messages where
Diffie-Hellman is used will greatly weaken it, and that this will worsen
our security rather than improving it. I will show this by linking the
NSA to the compromise of the Office of Personnel Management (OPM) in
America last year.
I don't propose to explain the technical details of Diffie-Hellman. What
it means is that two computers can exchange a few messages containing
large random numbers, and at the end of this they will share a secret
key without that key ever having been sent over the Internet.
Suppose that a communications company provides software that uses
Diffie-Hellman, and receives an order from the Home Secretary that they
must make the encrypted messages available to law enforcement and the
intelligence agencies. What are they to do? They never see the secret
keys, so they must do one of the following:
1: Modify the software to send a copy of the chosen key to someone. This
is far less secure, and also very obvious. Anyone monitoring the packets
sent by the programs will instantly see it.
2: Modify the software to make the keys or the encryption weak in a
non-obvious way so that the UK intelligence agencies can determine what
the key is. For instance, the random numbers might be made more
predictable in a subtle way.
These are the only two ways in which the communications company can
comply with the order.
We have seen what happens when Option 2 is chosen, because this was done
to Juniper Networks firewall product [see ref 1 below]. Someone deliberately inserted
"unauthorised code" which weakened the encryption used by this product
in a very specific and deliberate way. There is no possibility that this
was an accidental bug. The responsible party is widely believed to be
the NSA, because secret briefings released by Edward Snowden made
reference to the ability to intercept data sent via this product [ref 2],
and it would be much easier for the NSA to infiltrate an American
company than for anyone else to do it.
However there is something important that happens when software is
updated: hackers (including foreign governments) scrutinize the updates
to see what has changed. Normally they find that the old version of the
software had a security hole which is now patched, so the patch flags up
a way to attack computers that haven't been updated yet. But in this
case when Juniper issued an update to their firewall software these
hackers found the security hole in the *new* software.
Doing this kind of analysis in a systematic way for many security
products is a very large job. Doing it in secret requires the resources
of a government. So now not only could the NSA intercept communications
sent via Juniper firewalls, but so could an unknown number of foreign
governments. The Chinese were almost certainly one of them. Other
nations known to have invested in cyber-attack capabilities include the
Russia, Israel and North Korea (although the last is probably not as
capable yet).
Juniper products are widely used by the US Government. This is likely to
have been one of the ways in which the Office of Personnel Management
(OPM) was penetrated last year [ref 3]. The Chinese government is the prime
suspect in this hack, through which the attackers have obtained copies
of the security clearance applications of everyone who has ever worked
for the US government.
So it seems that the NSA, by introducing a supposedly secret "back door"
into a widely used product, cleared the way for the Chinese to obtain
secret files on everyone who has ever worked for their government,
including all of their legislators and everyone who works at the NSA.
Nice job breaking it, Hero!
Now it is true that this is circumstantial; we have no hard evidence
that the Juniper back door was inserted by the NSA, no hard evidence
that the Chinese found it, and no hard evidence that this contributed to
the OPM hack. But each of these is a big possibility. Even if the OPM
hack didn't happen in exactly that way, deliberately weakening security
makes events like this much more likely. If the Home Secretary orders a
company to introduce weakened security, that fact will become apparent
to anyone with the resources to dig for it. Once armed with that fact,
they can attack through the same hole.
Furthermore, we would never find out when a disaster like the OPM hack
happens under the regime described in the Investigatory Powers bill.
Suppose that, thanks to the weakened security ordered by the Home
Secretary, secret government files are obtained by a hostile power, and
the communications company executives are called before a Parliamentary
Inquiry to account for their negligence; how can they defend themselves
if they are legally prohibited from revealing their secret orders?
More generally, we will never be allowed to learn about the negative
effects of these secret orders. It would embarrass those who issued
them, and they are exactly the people who would have to give permission
for publication. So if Parliament passes this bill it will never be
allowed to learn about the problems it causes, and hence never be able
to remedy the mistake.
I have focused on only one of the measures in the Investigatory Powers
bill here, but there are many others in the bill that cause me great
concern. To go through the whole bill in this level of detail would make
this email far longer, and I know that you have many calls on your time.
I can only ask you to believe that there are many similar issues. For
these reasons I must urge you to vote against the bill when it reaches
the House of Commons.
Yours sincerely,
Paul Johnson.
[1]
http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
[2]
https://assets.documentcloud.org/documents/2653542/Juniper-Opportunity-Assessment-03FEB11-Redacted.txt
[3] https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
