More details of how the UK’s new surveillance law will operate have been revealed, in details about the use of encryption.
Under draft regulations to support the new Investigatory Powers Act, the government will be able to issue ‘technical capability notices’ to companies with more than 10,000 UK users to make it easier for police, spy agencies and other government bodies to access their customers’ communications.
In particular, the regulations require companies to provide and maintain “the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection.”
Those powers means it will be extremely difficult for tech companies and ISPs in the UK to offer their own end-to-end encryption services to their customers. That’s because end-to-end encryption only allows the sender and the recipient of the communications to read the message: it is hidden from the company that sends it, as well as from other prying eyes.
The leaked paper was revealed by the Open Rights Group, and the group’s executive director Jim Killock said the powers could be used to force companies to limit encryption, and that when these powers are used, it would be done in secret.
“There needs to be transparency about how such measures are judged to be reasonable, the risks that are imposed on users and companies, and how companies can challenge government demands that are unreasonable”, he said.
“Businesses and the public need to know they aren’t being put at risk. Sometimes, surveillance capabilities may be justified and safe: but at other times, they might put many more people – who are not suspected of any crime – at risk.”
Police and intelligence agencies have long worried about losing the ability to intercept the communications of criminals and terrorists, who are able to plot in secret using encrypted messaging apps. It’s a legitimate concern, but not one that is likely to be addressed by this legislation.
Criminals are simply going to switch to services based in other countries, or find even more obscure ways to communicate. And it may also make us less secure. The events of the last year have shown that criminals and state-sponsored hackers are always looking for ways to access and steal communications. Forcing the UK to use weaker forms of secure messaging will make the job of foreign spies and crooks much easier.
And those ISPs and tech companies that are obliged to hold our unencrypted messages? Effectively they will have a big red target painted on them forever more. If hackers and intelligence agencies know that these companies have the means to decode any messages on their network, then cracking their security becomes a priority.
Still, it’s also important to consider the international perspective here: most secure messaging apps are not based in the UK, but in the US and the rest of the world, where the UK’s law will have little impact. For these companies the UK is just one market among many, and they won’t change their tech strategy just for one goverment, especially if their own goverment imposes no such demands.
So it’s highly unlikely that the messaging apps we use, in our millions, every day, will be stripped of their end-to-end encryption anytime soon. UK phone companies and ISPs offering such services will simply shrug, and point out they did not add the encryption in the first place and therefore have no way of removing it. That’s a big hole in the legislation.
However, there is another international dimension to consider. It could be that some countries will take the UK’s law as a blueprint for their own surveillance laws (and the row over encryption is just one element of the legislation which also includes a legal framework for police and intelligence agencies to hack smartphones, PCs, tablets or computer infrastructure and requires ISPs to retain details of the internet browsing history of the entire country for 12 months.)
If enough countries decide they want similar legislation in place (the UK laws go further than similar laws in other democratic countries) and do not want companies in their jurisdiction offering end-to-end encryption then it may become harder for many people to use encryption as they do today.
That may make it easier to police and intelligence agencies to track criminals but at a cost to the security of the majority (and it would still be all but impossible to stop the use of end-to-end encryption completely).
The UK’s lone stand against encryption is unlikely to succeed, but it may point to bigger battles ahead.