UK Proposes Even More Stupid Ideas For Directly Regulating The Internet, Service Providers
The UK government has made no secret of its desire to convert providing encryption into a criminal act. The fact that some things are beyond the government's reach is unacceptable. While lawmakers may suggest this will only target criminal" purveyors and users, there's no reason to believe this won't be expanded every time law enforcement finds it slightly difficult to access information it believes it's entitled to.
The same government apparently believes it can directly regulate content people have access to, even if that content isn't illegal. For several years, the UK government has attempted to implement porn filters." The sales pitch is that this is for the children who can far too easily access porn via the internet. But what the UK government really wants to do is limit porn consumption by everyone - something it hoped to achieve by forcing adults to express their desire to consume porn to their service providers.
This effort failed. But this failure has taught the UK government nothing. It still believes it's capable of directly regulating the internet. Its comments on proposed updates to the 1990 Computer Misuse Act suggest the government still thinks it can make the UK safer by unilaterally granting itself a bunch of new powers.
First, the government proposes it should be able to seize domains and IP addresses at will... for the greater good, of course. In order to take down botnets or other offenders (fraudsters, purveyors of contraband, etc.), the UK government is suggesting it should be given these powers:
Once law enforcement have taken control of the domains or IP addresses other possibilities also become available to them. For example, they could choose to sinkhole" (see glossary of key terms) the incoming victim communication attempts. This sinkholed" data can be used to identify how many victims there are, what IP address they are on, and on occasions further details about the infected device - such as its operating system, which can help defenders find it and clean it. Sinkholed data can be disseminated through existing channels to notify victims around the globe that they may be infected.
We believe that the UK would benefit from law enforcement agencies being given the right to cede control of the domain and/or IP addresses to trusted parties for management and sinkholing efforts, to remove the need for law enforcement agencies to renew millions of domain names every year to ensure they do not fall back into criminal hands.
The government wants to save UK residents from malicious entities by hijacking domains and IP addresses. This sounds fine if you believe the government is incapable of error or abuse. It looks far worse when you realize there's no government in the world incapable of error or abuse.
The second half of the proposal would allow the government to swiftly divest itself of blowback by handing over the management of the perceived problem to non-government agencies, allowing them to take the heat for any errors or abuse.
The proposal also seeks to allow the government to prevent domain name creation by demanding registrars ignore domain names generated by algorithms. The government assumes only malicious entities would bother using a domain generation algorithm. And, based on that assumption, the government believes it is in the right to demand service providers refuse or cut off access to anything appearing to have been generated by something other than a human.
It's not just blocking being proposed. The government wants to handle any domain name it doesn't like in any way it sees fit, utilizing the altered law to compel cooperation from all involved private parties.
A request to take down, seize or prevent the creation of a domain name would be served on the relevant party who was in control of the domain, such as the Registry (who create it and ensure that only one instance of it exists), a Registrar (who effectively leases it) or the Registrant (who rents it and deploys their content).
A request to seize control of an IP address would be served on a network provider that controls that IP address. They might be required it to tunnel that IP to another in the control of law enforcement or other trusted party.
The proposal suggests the UK government has some idea how these powers would be best wielded. But that illusion is shattered by this request, which suggests something else entirely.
We propose that this power is available to specified public authorities, and would welcome views on which agencies should be able to use it.
Perhaps the UK government believes these powers should be granted to any and all agencies asking for access to them. This request does nothing more than ask for sales pitches from agencies the government (as a whole) believes should have access unless specified otherwise by entities whose opinions the government values. Opinions from government agencies are presumably more trustworthy than opinions offered by residents, who are assumed to not know what's actually good for them.
At least there will be some sort of court review involved. Government agencies would have to show the targeted domains are linked to criminal activity to secure a court order. Of course, most of this demonstration of facts will involve plenty of boilerplate and the limited attention of judges who often believe law enforcement wouldn't target sites unless they were host to criminal activity. The better limitation is this:
The person required to carry out the action should have the right to appeal to the court to remove the suspension, as should the registrant where domain names have been registered.
This makes the process a bit more adversarial. But only a little bit...
However, the suspension should remain in place while the appeal is taking place and refusal of the request by the person on whom it is served will result in a fine.
Since refusal is almost always likely to result in a fine (if the government prevails in court), suspensions and other government actions will continue while the court shifts the burden to the recipient to prove the government is wrong. The proposal suggests served parties can be compensated for lost revenue if a court rules the government erred, which may deter some abuse, but the presumption of being in the right still seems to be mostly on the government's side throughout the process.
And there's more. The government wants data preservation to be far less voluntary.
Data is preserved voluntarily at the request of law enforcement agencies, and this process works well. However, given the need for electronic evidence to be available for investigations in an increasing number of cases, we believe that it is necessary for the UK's law enforcement agencies to have access to a power that requires the preservation of data where a person is unwilling to do so voluntarily.
This would not require a court order. Instead, apparently indefinite data retention could be triggered by nothing more than a senior officer's" signature. The recipient can appeal the retention demand via the courts, but will be required to collect, hold, and maintain the data while this appeal is underway.
The government also wants to change the definition of theft to include the copying of data. Since illicit copying of data triggers lower criminal penalties than actual theft, the government wants to make the making off with unapproved copies more akin to someone stealing your actual car (rather than just downloading it).
We would like to consider whether there is a need to create a general offence for possessing or using illegally obtained data, and would welcome views on the necessity.
So, the government wants to be able to punish ethical hackers, leakers of non-public info, people who obtain or share the results of data breaches, and anyone else who happens to have data no one specifically said they could have.
Also on the table: extraterritorial investigations and prosecutions, increased mandatory sentences for computer" crimes, and increased powers for government agencies who claim they're only participating in cyber-defense work.
All of this looks bad. Some of it looks incredibly terrible. At this point, at least, it's only a proposal. But without significant pushback, a lot of these bad ideas will become law.