This article was published on March 1, 2016

UK’s spying rules would force tech companies to break encryption – and you’ll pay for it


UK’s spying rules would force tech companies to break encryption – and you’ll pay for it

When the government dumps hundreds and hundreds of documents at one time, it’s almost as if it doesn’t want you to know where to start.

And boy is the UK’s new Investigatory Powers Bill a privacy-infringing gold mine.

Having had the draft pulled apart by no less than three official policy watchdogs, it’s already been slated by the Guardian newspaper today, while more than 100 MPs and security campaigners have just written to The Telegraph to oppose it.

Indeed, the government readily admits: “Interception of communications will almost always involve an interference with an individual’s rights under Article 8 (right to respect for private and family life) of the European Convention on Human Rights (ECHR).”

UK citizens actually get off reasonably lightly when looking at one of the most controversial areas of the act, bulk interception, as the new law “prevents the issue of a bulk interception warrant with the primary purpose of obtaining communications between people in the British Islands.”

However in reality, as already identified during the evidence sessions that were supposed to inform this new law, now outlined in the guidance, that’s of course not true:

Due to the global nature of the internet, the route a particular communication will take is hugely unpredictable. This means that a bulk interception warrant may intercept the communications to or from an individual in the British Islands.

Actually, the document does more than just allow for accidental interception of UK citizens’ communications:

Section 119(5) of the Act makes clear that a bulk interception warrant can authorise the interception of communications that are not overseas-related to the extent this is necessary in order to intercept the overseas-related communications to which the warrant relates.

It readily admits it.

When getting a bulk interception warrant, intelligence officials will have to demonstrate that it is “in the interests of national security, for the purpose of preventing or detecting serious crime or in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security.”

But, just to cover their backs, the document also states that there may be: “operational purposes that need to be added to or removed from bulk warrants, including in urgent circumstances.”

Of course, each warrant has to be “necessary and proportionate,” whatever that means, and assures us that “all content and data intercepted will be kept for no longer than necessary.” Again, entirely, unequivocally clear what the limits are.

Obligation to remove encryption

Essentially any Web service, whether based in the UK or otherwise, is liable to get a knock on its backdoor. Email providers, messaging apps, other cloud based services, online marketplaces, telcos and public Wi-Fi providers are all called out explicitly in the new proposed law.

If the service has more than 10,000 users, it may even be required to work with the government ahead of time to build a “technical capability to give effect to interception, equipment interference, bulk acquisition warrants or communications data acquisition authorisations.”

Although this will be limited to “Communication Service Providers (CSPs) that are likely to be required to give effect to warrants or authorisations on a recurrent basis,” that definition sounds like it could apply to any widely-used platform.

And, you got it, contrary to what tech companies suggested in their evidence, that also includes the potential end of encryption.

An obligation placed on a CSP to remove encryption only relates to electronic protections that the company has itself applied to the intercepted communications (and secondary data), or where those protections have been placed on behalf of that CSP, and not to encryption applied by any other party.

It’s not clear whether the personal PIN infrastructure that Apple is battling with the FBI about counts as “electronic protections that the company has itself applied” or “encryption applied by any other party.”

If it’s the former, then we are about to enshrine the right of the UK government to force Apple to open a door it says it will not be able to shut.

This work with Web service providers is also intended to go beyond mere compliance.

CSPs subject to a technical capability notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.

The documentation outlines that “informal consultation is likely to take place long before a notice is given. The Government will engage with CSPs who are likely to be subject to a notice in order to provide advice and guidance, and prepare them for the possibility of receiving a notice.”

Although the person requiring the warrant must make it clear to the issuer what the purpose of the collection will be, tech companies will not be given any of these details for either targeted or bulk interception.

Failing to comply is an offence and may result in imprisonment or a fine, and while companies are able to appeal, they can ultimately be forced to hand over the keys to their data if it’s believed to be in the interests of the UK’s national security.

Sworn to secrecy

All of this will be paid for by the public, whether that’s just to cover the cost of complying, or building an entirely new technology in order to give access to the relevant body.

And of course, all of this will go on in secret:

The Government does not publish or release identities of those subject to a technical capability notice, as to do so may identify operational capabilities or harm the commercial interests of companies acting under a notice. Should criminals become aware of the capabilities of law enforcement, they may alter their behaviours and change CSP, making it more difficult to detect their activities of concern. Any person to whom a technical capability notice is given, or any person employed or engaged for the purposes of that person’s business, is under a duty not to disclose the existence or contents of that notice to any person.

The guidance states that record checking “by officials should be kept to an absolute minimum,” obviously to try to ensure that no one sees any records that have accidentally been intercepted by mistake, but it doesn’t outlaw it.

All of this “must be limited to a defined period of time, although access may be renewed,” of course. That’s right after the systems are put in place “to ensure that if a request for renewal is not made within that period, then no further access will be granted.”

If all that sounds a bit vague, worry not, in order to get ultimate cost-effectiveness for our new mass-spying network, the government has come up with an idea:

Section 214 of the Act provides a power for the Secretary of State to develop compliance systems. This power could be used, for example, to develop consistent systems for use by CSPs to intercept communications and secondary data. Such systems could operate in respect of multiple powers under the Act.

Yes, essentially the UK government is spelling out plans to build a great big spying system that it can dip into with as little effort as possible and burying it in hundreds of pages of barely readable bureaucratic documents.

The legislation will now be debated by parliament, although in truly democratic fashion, the guidance already states that it needs to be in force by December 31 2016.

That sounds frighteningly likely, unless we finally all decide that there’s too much at stake to leave this up to politicians and tech CEOs.

Investigatory Powers Bill [Home Office]

Get the TNW newsletter

Get the most important tech news in your inbox each week.