Snoopers Charter would allow UK Government to ban end to end encryption
The UK government has publicly admitted that parts of the Investigatory Powers Bill (IPB), better known as the ‘Snooper’s Charter’, would allow it to force companies to ban end-to-end encryption.
In what may be viewed as a huge assault on the public’s privacy, not to mention digital security, the government would ask internet and communication service providers to “develop and maintain a technical capability to remove encryption that has been applied to communications or data”. As one member of the House of Lords put it, when debating the IPB, this essentially means that companies may not use end-to-end encryption, and could leave the public at risk, not to mention setting a supremely dangerous precedent.
Lord Strasburger explained:
The implication of what [the government] is saying is that no one may develop end-to-end encryption. One feature of end-to-end encryption is that the provider cannot break it; encryption is private between the users at both ends. He [the minister] seems to be implying that providers can use only encryption which can be broken and therefore cannot be end to end, so the next version of the Apple iPhone would in theory become illegal.
That’s because developing the technical capability to break strong encryption is a costly and problematic endeavor. So in essence, the government aims to force companies to offer weaker encryption and develop backdoors in their services. This is exactly what privacy and advocacy groups like the EFF warned about months ago, when the FBI was trying to force Apple to hack its devices.
As usual the powers granted by the Snooper’s Charter are claimed to be in the service of national security and the fight against terrorism. Earl Howe, minister of state for defence, argued that “there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication.”
But of course, the wider implications of such demands, by a democratic Western government no less, are rarely brought up by their proponents. However, Baroness Hayter attempted to explain:
The problem is whether the Government would ever require a company to engineer such access, enforcing the company to create a model which, if then followed by other nations with perhaps less security than ours, would lead to a lowering of standards.
Her arguments bring to mind recent cases where authoritarian regimes such as Turkey, Russia and China, have demanded they have access to user data and banned companies from using strong encryption which the government couldn’t bypass.
To be clear, the
Government Minister of State for the Ministry of Defence in the House of Lords has clarified thatcertain clauses within the Investigatory Powers Bill do in fact compel Communications Service Providers to ensure that there is a capability for the state to acquire plaintext equivalents of encrypted communications if reasonably practicable if and only if the CSP has applied said crypto themselves.
- Is this bad news for Whatsapp etc? Yes
- Is this bad news for normal people? Yes
- Is this bad news for crypto geeks? Kinda (it’s kinda abhorrent to have to undermine crypto for the state but nothing stopping you using PGP / OTR / etc)
- Is “end to end crypto” banned? No
- Is there a criminal offense for using crypto? No
- Can you (a UK citizen) be jailed for refusing to decrypt your comms / HDDs etc? Yes (RIPA s.49 / s.50)
TL;DR; If you provide communications services (e.g. an app) and your app encrypts messages then the government can ask you to ensure you are able to decrypt messages if asked and if reasonably practicable.
Source: Provided written evidence to both the Parliamentary Joint Select Committee and the Science and Technology Committee against many powers within the bill (notably the encryption elements above, ICRs, Bulk EI (hacking) and the filter) and have been following this bill since its inception.
Edit: FWIW the House of Lords is having it’s final debate from 14:30 BST today in regards to ICRs (a record of every internet connection you make held for 12 months), the filter (a way to query *all** CSPs simultaneously for said ICRs using an identifier e.g. your name or your address)* and more. You can watch it here:http://parliamentlive.tv/Event/Index/564fcfed-b0eb-4220-bc56-4206f6e3c889
- Do encrypt your communications separately to your ISP (your ISP has to decrypt your data if asked and they are able).
- Use a service dedicated to privacy. Use a VPN provider that provides both a DNS (so your ISP’s DNS server is not used & does not keep logs, so that even if a court order is served, they are unable to comply.
- I use IVPN, along with a number of other privacy tools. I’m a proud affiliate of IVPN, as I can’t find anyone who’s better. I won’t promote anyone else, as nothing compares to them in my opinion.
IVPN – Free Trial of VPN
Warrant Canary – can be found here: