At present most of the mentions you’ll see around the UK Government’s new Telecoms Security Bill (TSB) tend to involve Huawei’s ban (here) and its impact upon FTTP broadband or 5G mobile networks, but as time goes on it’s becoming increasingly clear that the bill hides a number of other nasty surprises.
On the one hand few could disagree with the desire to ensure that modern broadband and mobile networks (public electronic communications networks – PECN), as well as related services (public electronic communications services – PECS), are secure, it’s a no-brainer. On the other hand, politicians tend to be almost universally awful when it comes to setting law in complex technical fields related to the internet, about that which they know so little.
For the purposes of this article, we’re going to skip the recap of anything to do with Huawei and supply chain diversity, since we fear this may distract from a lot of other changes that are being introduced alongside the TSB. As such there’s a good chance that some people won’t be aware of just how far-reaching the bill has become, which only recently became clear.
Advertisement
A lot of this concern thus stems from the secondary legislation that accompanies the TSB, which has been set out via the Government’s Draft Electronic Communications (Security Measures) Regulations 2021 (DECSMR). We’ve summarised just a few of the issues below.
Short Summary of Key TSB Issues
1. Internet Snooping v2
The controversial 2016 UK Investigatory Powers Act (aka – snoopers charter) has already created an extensive system for snooping (spying) on the internet activities of private citizens, which to be fair does include plenty of detail and some safeguards to prevent (or limit) the potential for abuse.
Despite this it may surprise some people that the TSB, in the course of requiring ISPs to “monitor, analyse and audit” signals both entering, transiting and leaving their networks “for the purpose of identifying the occurrence of any security compromise,” appears to introduce a conflicting and poorly detailed “duty” along the same line as the IPAct.
In short, it tells network operators to “maintain a record of all access to the network or service (but not of the content of signals),” yet then proceeds not to flesh this change out with any detail or clarify how it avoids conflicting with the IPAct. Without a clear definition of “access” this could also be applied to lots of other areas and internet services.
Such records would also need to be stored “securely” for “at least” 13-months and that’s likely to attract extra costs, which could be significant without some restraint in the legislation.
2. The External Networks and Encryption Conflicts
The TSB asks network providers to “protect any data stored by electronic means in a manner which is proportionate to the sensitivity of the data.” One of the duties involved in this orders providers’ to “ensure that workstations through which privileged access is possible are not exposed to external networks.” On top of that it tells providers to “ensure that tools enabling monitoring or audit cannot be accessed from outside the United Kingdom if they enable monitoring or audit— (i) in real time, or (ii) of the content of signals.”
The thing about broadband and mobile providers is that they provision access to the internet, which is a global network and so external connectivity solutions and services with non-UK networks and services are somewhat par for the course. The broad strokes approach being taken above could, for example, conceivably prevent staff from using their operator’s own Virtual Private Network (VPN) while abroad on business; that’s just silly. Lest we forget that some operators have bases in other countries and need to be able to communicate over non-UK networks.
Network providers must also “take measures to prevent activities that unreasonably restrict monitoring, analysis and investigation,” which sounds as if it could conflict with features like end-to-end encryption (other areas of the TSB also seem like they might hamper this) in communication services (e.g. WhatsApp), as well as secure VPNs and proxy servers etc. We have to wonder about the definition of “unreasonably” here.
3. UK Only
The rules require network providers “to avoid dependence on persons, equipment or stored data located outside the United Kingdom to monitor and audit the use of networks located in the United Kingdom,” which could be difficult to implement given that modern software and hardware tends to be produced with bits and pieces from around the world.
Telecommunications comes attached to global supply chains and indeed many operators have global operations (e.g. we can’t think of many home broadband routers, being bundled by ISPs today, that are 100% – every component and software – created and supplied in the UK). Not to mention that taking a protectionist approach doesn’t fit terribly well with the current “Global Britain” mantra.
We should add that other parts of the TSB encourage data localisation to the UK, which as the ISPA recently said, may go against the “cross-border data flows provisions of the recently agreed EU-UK Trade and Cooperation Agreement and could jeopardise future trade deals that the UK is seeking to pursue.”
The proposed legislation masks a bunch of other tricky changes too, but we felt as if the above areas were perhaps the most important ones to highlight. The UK Internet Service Providers’ Association (ISPA) has done a good job of highlighting these concerns (here) and we recommend this blog post by law firm Decoded.legal for extra depth (here).
The proposed rules, which would hand Ofcom stronger regulatory powers to monitor and enforce all of this (very little is currently known about how that would work and its limitations), surfaced with precious little prior industry consultation. As such there’s a palpable concern that not enough consultation is planned before the secondary legislation is due to be introduced. Since the measures could hit all providers, both little and large, then it’s essential to get it right.
As the techUK trade association put it in their response (here): “Members are concerned that there has been no public consultation with Government before the Bill, and that there is no planned consultation until secondary legislation. Industry engagement has been patchy and inconsistent to date, particularly with those providers who are outside of the likely Tier 1 providers. Given that the TSRs and Codes of Practice are likely to be extensive, we encourage greater engagement with all of industry through appropriate and open means.”
Advertisement
The government, which holds a commanding majority in parliament, might well feel as if it can ride roughshod over such consultations in order to push through the implementation of a highly complex piece of legislation, covering a field that it appears not to fully comprehend. Such an approach, if adopted, would risk a veritable tsunami of unintended consequences. But the biggest risk of all is that in trying to make UK networks more secure, they may end up doing exactly the opposite.
Once your throw the ECHR, a fairly activist judiciary and Treaties into the mix I foresee much litigation.
What with the snoopers charter and the way ISP’s handle customers data whilst maintaining GDPR, I certainly hope so. This looks like another government in-road to becoming a totalitarian state through the back door.
It’s almost like we should have a minister / department for broadband, so we’ve got someone responsible for this sort of thing … oh wait.
I mean, someone competent btw. Just thought I’d clarify that bit.
Unfortunately, competent ministers are in short supply in this government…
Can you imagine if Cars were invented today?
“This technology brings freedom to many people but is also a significant factor in crime, being used to escape justice on many occasions and also causing many deaths. That’s why this legislation will require that every car has remote tracking reporting it’s location to the police and cameras so we can see who is driving at any time. In addition, police will have the power to remotely disable any car they wish to at any time”
Are we ready for ‘The Great British Firewall’? Another world beating c*ck-up?
Perhaps we should all have a small suitcase with a change of clothes ready for when the ‘agents of state security’ arrive in their black crows at 4AM to investigate why you were looking at a foreign site selling an internet router last night.
Are they going to find a new job for Baroness you-know-who?
Seriously, when are we going to recognise that the world is bigger than tiny United Kingdom?
The fascist SNP will love this.
Lol, you might need to look South of the border for fascism, son…
What is unreasonable? Using an ad filtering DNS-over-HTTPS/TLS service that happens to be hosted outside of the UK (because it’s closer to everyone else in Europe, who runs it)?
If they intend to store 13 months of connections to/from each user, they’re going to have a lot to sift through – especially given how every home connection is now potentially a work connection. At just one connection a second, we’d be talking ~34 million records. With all that’s going on, on all the devices a household has, that has to be an underestimate.
Compressed it might not be so bad, but actually storing it in a queryable format could be more painful. Either way, it strikes me as the kind of problem people get paid a lot to solve.
Of course, people most likely to be using work VPNs etc are also some of the people likely to be paying for higher-rate plans, so I imagine ISPs are not going to want to do more than any other one would do in that circumstance.
(Meanwhile, the constant probing from China is not anomalous and therefore not worth noting.)