Hacking by police 'inevitable' thanks to use of encryption

Police and intelligence agencies will turn to hacking in a bid to get round the use of strong encryption.
Written by Steve Ranger, Global News Director
The use of computer network exploitation - hacking - by intelligence agencies is well documented.
(Image: GCHQ/Crown Copyright)

Police will join intelligence agencies in deploying hacking techniques to get past the use of strong encryption by their targets, according to a report into the UK's surveillance powers.

The report by the UK government's independent reviewer of terrorism legislation, David Anderson QC, is calling for a revamp of the patchwork of existing legislation around internet surveillance.

The report also addresses the use of encryption - and law enforcement's desire to bypass it to further their investigations.

The use of encryption to protect communications has been increasing recently - largely fuelled by NSA-contractor-turned-whistleblower Edward Snowden's revelations about the pervasive interception of private communications by surveillance agencies such as the NSA and GCHQ.

As a result, many companies now encrypt their customers' emails and other communications by default, making it all but impossible for spies and police to gain access to the messages.

As such, law enforcement has been pushing for powers that can force companies to hand over unscrambled versions of such conversations. However, it seems they are also keen to use computer network exploitation (CNE) - a polite euphemism for hacking techniques - as well.

The report revealed that in discussions with Anderson the National Crime Agency had raised the topic of the "possible future use by law enforcement of CNE".

The report said the NCA "considers that targeted CNE could give the whole communications picture of a subject at the early stage of an investigation, allowing a more targeted approach to those involved in the most serious criminality, and ensuring that those who adopt advanced encryption technologies remain within the reach of the law".

It added: "For their part, the police consider that, in an increasingly cyber-enabled environment, the need for them to use CNE is inevitable."

Anderson noted that "a debate is clearly needed as to how law enforcement can best utilise CNE and what safeguards should apply".

The intelligence services are already using such techniques: back in February the UK government admitted that spies can hack targets, publishing a draft code of conduct on the use of hacking and bugging earlier this year.

CNE techniques can vary from using someone else's login to gain access to information, to exploiting vulnerabilities in software in order to gain control of devices or networks, to remotely extract information, or even secretly taking hardware and replacing it.

The report said that while the intelligence services do not want a "permanent trump card" or to put the use of encryption under government control, as it was back in the 1990s, they "do look for cooperation, enforced by law if needed, from companies abroad as well as in the UK, which are able to provide readable interception product".

It is not clear what such legislation would look like, or how any UK legal powers could be enforced against international tech companies.

In any case the report also said there are other ways around encryption: "The agencies seek to address impeded access to communications through their own cryptographic work. They will also need to develop new methods of accessing data, for example through increased use of CNE. They therefore want the capabilities and an appropriate legal framework within which this work can be carried out."

However, the Anderson report said that some of the "intrusive" surveillance techniques - including CNE and attempts to break encryption standards - used by the security and intelligence agencies "do not find clear and explicit basis in legislation, other than general powers", and said that some experts "with a detailed knowledge ofthe technology involved" had expressed serious concern regarding the fact that such powers were apparently used without explicit parliamentary approval or public awareness and support.

It noted: "CNE presents a dizzying array of possibilities to the security and intelligence agencies, and while some methods of CNE may be appropriate, many are of the view that there are others which are so intrusive that they would require exceptional safeguards for their use to be legal."

More stories on surveillance and cybercrime

Editorial standards