UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor

How far will it go? You'll have to ask the Home Secretary

Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.

As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliges ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand "technical" changes to software and systems.

This was the proposed wording in the Code of Practice accompanying the legislation:

CSPs subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.

As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops – such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications.

Bye bye, encryption ... Wording from the latest version of the law

Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored.

In effect, the UK government has written into law a version of the much-derided Burr-Feinstein Bill proposed in the US, which would have undermined encryption in America. A backlash derailed that draft law.

No such backlash happened in the UK over the Investigatory Powers Bill, though, and so here we are. Web browser histories logged by ISPs 24/7, and the looming possibility of crippled cryptography. There may be not much point using a VPN to conceal your web activities if it can be blown open by a technical capability notice.

To be fair, there were some fears that Blighty's law would effectively kill off the UK software industry as well as undermine Brits' privacy, and expose them to surveillance and hacking by criminals exploiting these mandatory backdoors. This mild panic did bring about some changes to the UK's Investigatory Powers Bill before it was passed.

The question is: were the changes sufficient?

The "anti-encryption" part of what is now UK law has moved from section 217 to sections 254-256 [PDF] and contains some additional safeguards. But those safeguards, as they often are, are largely a judgement call by a Secretary of State.

The wording is slightly improved in that by introducing any one of the Secretaries of State as a required signatory to any "technical capability notices", it introduces a minor choke-point and a degree of accountability. Rather than the security services or police being able to force any communications provider to tell them their new product plans and oblige technical changes, the issue will have to bubble up to the desk of a Cabinet minister, probably the Home Secretary.


Once on his or her desk, one of the Secretaries of State will have to "consider that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct."

He or she will also have to consult the "Technical Advisory Board" – which was created in response to another unpopular piece of technical legislation, RIPA – and people that are "likely to be subject to any obligations specified in the regulations."

Any notice that the secretary then decides to push forward will have to be approved by a "Judicial Commissioner" – a judge appointed by the Prime Minister in that role – who will take into account the same factors as the secretary but, critically, also have to consider "the same principles as would be applied by a court on an application for judicial review."

If the commissioner refuses to approve the decision, he or she must provide a written reason for doing so. But that decision can then be overridden by the new Investigatory Powers Commissioner.

The Investigatory Powers Commissioner has been created specifically for this legislation and will be appointed by the Prime Minister. That in itself was an issue subject to some debate with a select committee of MPs arguing that the commissioner should be appointed by the Lord Chief Justice rather than the Prime Minister. In the end, the government won out.

Some further improvements come in the form of more precise wording. Any notice would have to specify what sort of obligation will be applied to a communications provider. Most noteworthy in this context is section 254 (5)(c):

The obligations that may be specified in regulations under this section include, among other things ... obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data.

Other obligations are clearly intended to allow for government tapping of internet communications and after-the-fact provision of stored data from ISPs.


There is also a list of things a Secretary of State must consider before posting a relevant notice, including:

  • likely benefits of the notice
  • number of users
  • technical feasibility of complying
  • cost of complying, and
  • "any other effect of the notice on the person"

In short, what the law's passage through Parliament has done to the UK government's ability to force tech companies and telcos to introduce backdoors into their technologies is make it slower and a little tougher.

Does it prevent the UK government from breaking encryption? It absolutely does not. In fact, it foresees it.

Does it mean that customers will be made aware that their communications and traffic are compromised by a backdoor? No, it does not. All of the checks and balances are safely contained within the upper levels of government and the judiciary.

Based on what both the UK and US government have done in the past with all-encompassing orders that are time-based rather than product-based, and considering the fact there is nothing that says it has to be done on a case-by-case basis, it's a safe bet that the government will approve one-size-fits-all "technical capability" notices for specific companies.

Where will the balance between protecting consumers and providing access to law enforcement and security services lie? We will likely never know in any useful detail since no one is under any obligation to make that reasoning or argument available outside the small group of individuals that take the decision.

Nuts of it

Most critically, if a Cabinet minister decides she wants a backdoor to be introduced into some software, is there anything that can stop him or her? The answer to that is almost certainly no, except she can be slowed down and would likely make some concessions to move ahead.

If the Home Secretary and the Prime Minister both want a backdoor into some service is there anything that can stop them? Again, no, but a brave Investigatory Powers Commissioner could delay it for a few years.

And in the broader picture, will the UK government be able to force the likes of Twitter or Facebook or Google or Apple to introduce backdoors and/or hand over user data? And the answer to that is: let's wait and see.

The UK government can certainly insist that a company not based in the UK carry out its orders – that situation is specifically included in the new law – but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the UK market.

At the end of the day, will the UK security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.

Will they do it for less than that? You'll have to ask probably the Home Secretary. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021