Skip to content

What A Global Anti-Encryption Regime Could Look Like – UK

02/07/2017

Our Prime Minister wrote  the dangerous RIPA law,  and this year, to my horror, she persists in attempting to end widespread encryption.  I’m concerned that these laws are open to abuse by hundreds of government departments, in addition to everyday financial crimes. In truth, I am more worried by government abuse than any crimes that may be committed by criminals.

https://www.eff.org/deeplinks/2017/06/five-eyes-unlimited

Before she was elevated to the role of Prime Minister by the fallout from Brexit, Theresa May was the author of the UK’s Investigatory Powers bill, which spelled out the UK’s plans for mass surveillance in a post-Snowden world.

At the unveiling of the bill in 2015, May’s officials performed the traditional dance: they stated that they would be looking at controls on encryption, and then stating definitively that their new proposals included “no backdoors”.

Sure enough, the word “encryption” does not appear in the Investigatory Powers Act (IPA). That’s because it is written so broadly it doesn’t need to.

We’ve covered the IPA before at EFF, but it’s worth re-emphasizing some of the powers it grants the British government.

  • Any “communications service provider” can be served with a secret warrant, signed by the Home Secretary. Communications service provider is interpreted extremely broadly to include ISPs, social media platforms, mail services and other messaging services.
  • That warrant can describe a set of people or organizations that the government wants to spy upon.
  • It can require tech companies to insert malware onto their users’ computers, re-engineer their own technology, or use their networks to interfere with any other system.
  • The warrant explicitly allows those companies to violate any other laws in complying with the warrant.
  • Beyond particular warrants, private tech companies operating in the United Kingdom also have to respond to “technical capability notices” which will require them to “To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form,” as well as permit targeted and mass surveillance and government hacking.
  • Tech companies also have to the provide the UK government with new product designs in advance, so that the government can have time to require new “technical capabilities” before they are available to customers.

These capabilities alone already go far beyond the Nineties’ dreams of a blanket ban on crypto. Under the IPA, the UK claims the theoretical ability to order a company like Apple or Facebook to remove secure communication features from their products—while being simultaneously prohibited from telling the public about it.

Companies could be prohibited from fixing existing vulnerabilities, or required to introduce new ones in forthcoming products. Even incidental users of communication tech could be commandeered to become spies in her Majesty’s Secret Service: those same powers also allow the UK to, say, instruct a chain of coffee shops to use its free WiFi service to deploy British malware on its customers. (And, yes, coffee shops are given by officials as a valid example of a “communications service provider.”)

Wouldn’t companies push back against such demands? Possibly: but it’s a much harder fight to win if it’s not just the UK making the demand, but an international coalition of governments putting pressure on them to obey the same powers. This, it seems is what May’s government wants next.

The Lowest Common Privacy Denominator

Since the IPA passed, May has repeatedly declared her intent to create a an international agreement on “regulating cyberspace”. The difficulty of enforcing many of the theoretical powers of the IPA makes this particularly pressing.

The IPA includes language that makes it clear that the UK expects foreign companies to comply with its secret warrants. Realistically, it’s far harder for UK law enforcement to get non-UK technology companies to act as their personal hacking teams. That’s one reason why May’s government has talked up the IPA as a “global gold standard” for surveillance, and one that they hope other countries will adopt.

 

 

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: