Gagging orders: The internet surveillance nobody can talk about

Right now, the security services could be crawling over the internet records of thousands of Britons. The suspects don’t know about it, senior executives at the broadband providers don’t know about it, and we can’t know about it. This is Britain in 2018, where security services can act with almost total impunity.  

The recently implemented, although still contested, Investigatory Powers Act  allows a range of authorities to demand ISPs and other service providers supply them with user data, give access to accounts, retain user browser records and potentially employ a raft of other surveillance tools. But the level of secrecy – including gagging orders on any ISP asked to comply with a Technical Capability Notice (TCN) –  means that nobody other than the security services themselves know the full extent of this unprecedented surveillance.

The gagging orders are so prohibitive, that even board members of an ISP may not be aware their customers are being spied upon. “There’s a huge veil of secrecy aligned to some of these technical capability notices,” said Gary Hough, regulatory manager at ISP Zen Internet.

Despite the law coming into effect, it’s still unclear whether the data retention and other tools will apply to all ISPs, and no one is able to talk about it if they are. “As far as I’m aware, we’re not one of the ISPs that are under a notice,” said Hough.

“As regulatory manager I haven’t been approached, so I can’t say at this moment in time whether we are or we aren’t. To the best of my knowledge we are not, but no-one could say that hand on heart as the TCN would forbid us from saying so anyway.”

Given that much of the work on the IP Act was conducted behind closed doors, with participants unable to speak about the details, ISPs and other companies impacted are still pondering what they might be asked to do. “It shows the level of uncertainty and confusion that’s out there, not just for the industry, but also in media circles and among the public,” Hough said. “People are confused as to what aspects of the IP Act mean because the government is just not being clear enough and providing the level of detail required to make an informed and fair appraisal.”

Any request for clarity or whether IP Act techniques were already in place were met with stony silence from the Home Office, while BT showed how the law works in practice. “Secrecy rules in the law mean we are unable to say anything about the use of any specific power in the IP Act about any BT Group company,” the company said in a statement.

The spread of surveillance

The situation in the UK is mirrored in the US, where Facebook is fighting the number of non-disclosure demands placed on the company by officials investigating its users. The company and civil rights advocates argue Facebook should be allowed to inform its users – except in exceptional circumstances – if a government body has demanded access to their account. “Gag orders like the ones at issue in the Facebook case are a threat to privacy, simply because they prevent companies from alerting their users that the government is searching their information,” said Andrew Crocker, staff attorney at the Electronic Frontier Foundation.

“While this might be necessary in some cases, it also prevents users from asserting their own privacy rights in advance, as they would be able to do in other contexts, such as searches of their homes.”

US Facebook customers might take some small solace in the fact that the social network can legally contest the gagging orders. UK law would forbid the company from even talking about the demand for data, let alone challenging it. High-profile cases, such as Apple’s refusal to decrypt an iPhone for the US security services, wouldn’t even have come to light over here. “If the Apple-FBI case were in the UK, Apple would not be allowed to talk about it so there would be no debate or public discussion about that at all,” said Millie Graham Wood, a legal officer with Privacy International.

“In the UK, people are going on about backdoors to encryption, but that’s only because that’s public – who on Earth knows what they would try and do now or in the the future?” she said. “It will never be in any regulations and no company can ever say ‘That’s a step too far’ because if they try and say that publicly the government will sue them.”

Wider responsibility

The legal complications of gagging orders placed on organisations was highlighted recently in proposed statutory changes to LINX – the UK’s main internet traffic exchange, which counts almost every ISP and major internet company as members.

Shortly after the IP Act came into effect, LINX held a meeting of members regarding changes to the group’s constitution, with reports suggesting members would be asked to approve a “gag clause” banning directors from asking members to agree or approve technical or security changes to enable or support surveillance.

LINX said that the proposed changes to its constitution had nothing to do with the IP Act – despite the timing – and that to suggest otherwise is “pure speculation”. However, the organisation did admit the proposed changes would have tightened the organisation’s legal position, so that a small minority of members couldn’t enable LINX to break the law in cases such as requests for data access.

“In the unlikely event LINX were ever instructed under the IP Act to intercept traffic, that would likely come with a gag order – not because of anything in our Articles, but because gag orders are a part of that law, just like they are a part of similar laws in most countries,” the organisation said in a statement.

The proposals failed to pass the 75% majority vote needed to change the constitution, but the debate did raise questions from ISP figures on the potential for Internet exchanges being served with warrants. “What it has highlighted is that we need some frank and open debate within LINX on the whole issue of the IP Act and the possibility of secret orders to snoop on LINX traffic,” said Adrian Kennard, director of AAISP in a blog at the time.

Future-proofing powers

According to critics of the IP Act, the vague way it has been implemented paves the way for security services to introduce ever more intrusive technologies that companies are unable to contest.

For example, as part of the IP Act, there are gagging orders preventing discussion of how evidence was collected in court, how and how often a company or person has been asked to implement back doors, and discussion of bulk data and communications records.

Much to the concern of George Danezis, head of the Information Security Group at University College London, the legislation effectively means that spy masters can use a wide range of powers without oversight and with little chance of any debate they want to put new tools in place in the future. “These prohibitions may make sense in the context of operational needs for secrecy — such as during investigations — but what about when the warrant expires?” he wrote in a post during the debate of the IP Bill.

“What about either interception or equipment interference against subjects, organisations, or others that does not lead to any criminal or other conviction – what is the imperative for keeping those secret?

“The imperative is to keep the debate – about the surveillance capabilities, the uses of warrants, the selection of targets for surveillance, the prevalence of surveillance, and the techniques used and their proportionality – secret,” he said. “This is to avoid even the possibility of a mature debate in the future.”

Send for the new Snowden

Many of the changes within the law are effectively intended to mitigate a repeat of the Snowden revelations, which, as well as showing the range of surveillance tools applied to the web, also highlighted that the rules governing spy tools were outdated. It’s ironic, then, that the gagging orders could eventually spur civic-minded whistle-blowers to risk sanctions themselves.

“In a sense, it could lead to another Snowden scenario because if there’s no valve to let off the steam or to complain about these things then it will boil up and, at some point, someone will say ‘The only way I can reveal this is by whistle-blowing’,” said Millie Graham Wood.

“They will think, ‘There’s zero knowledge in the public… and what they’re asking us to do is beyond what I think is morally acceptable’,” she added.

“So what else can you do? It puts people in a really difficult situation. We don’t want whistle-blowers. What we want is transparency and debate, but they’re almost encouraging it.”