Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.
As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliges ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand "technical" changes to software and systems.
This was the proposed wording in the Code of Practice accompanying the legislation:
CSPs subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.
As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops – such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications.
Bye bye, encryption ... Wording from the latest version of the law
Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored.
In effect, the UK government has written into law a version of the much-derided Burr-Feinstein Bill proposed in the US, which would have undermined encryption in America. A backlash derailed that draft law.
No such backlash happened in the UK over the Investigatory Powers Bill, though, and so here we are. Web browser histories logged by ISPs 24/7, and the looming possibility of crippled cryptography. There may be not much point using a VPN to conceal your web activities if it can be blown open by a technical capability notice.
To be fair, there were some fears that Blighty's law would effectively kill off the UK software industry as well as undermine Brits' privacy, and expose them to surveillance and hacking by criminals exploiting these mandatory backdoors. This mild panic did bring about some changes to the UK's Investigatory Powers Bill before it was passed.
The question is: were the changes sufficient?
The "anti-encryption" part of what is now UK law has moved from section 217 to sections 254-256 [PDF] and contains some additional safeguards. But those safeguards, as they often are, are largely a judgement call by a Secretary of State.
The wording is slightly improved in that by introducing any one of the Secretaries of State as a required signatory to any "technical capability notices", it introduces a minor choke-point and a degree of accountability. Rather than the security services or police being able to force any communications provider to tell them their new product plans and oblige technical changes, the issue will have to bubble up to the desk of a Cabinet minister, probably the Home Secretary.
Once on his or her desk, one of the Secretaries of State will have to "consider that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct."
He or she will also have to consult the "Technical Advisory Board" – which was created in response to another unpopular piece of technical legislation, RIPA – and people that are "likely to be subject to any obligations specified in the regulations."
Any notice that the secretary then decides to push forward will have to be approved by a "Judicial Commissioner" – a judge appointed by the Prime Minister in that role – who will take into account the same factors as the secretary but, critically, also have to consider "the same principles as would be applied by a court on an application for judicial review."
If the commissioner refuses to approve the decision, he or she must provide a written reason for doing so. But that decision can then be overridden by the new Investigatory Powers Commissioner.
The Investigatory Powers Commissioner has been created specifically for this legislation and will be appointed by the Prime Minister. That in itself was an issue subject to some debate with a select committee of MPs arguing that the commissioner should be appointed by the Lord Chief Justice rather than the Prime Minister. In the end, the government won out.
Some further improvements come in the form of more precise wording. Any notice would have to specify what sort of obligation will be applied to a communications provider. Most noteworthy in this context is section 254 (5)(c):
The obligations that may be specified in regulations under this section include, among other things ... obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data.
Other obligations are clearly intended to allow for government tapping of internet communications and after-the-fact provision of stored data from ISPs.
There is also a list of things a Secretary of State must consider before posting a relevant notice, including:
- likely benefits of the notice
- number of users
- technical feasibility of complying
- cost of complying, and
- "any other effect of the notice on the person"
In short, what the law's passage through Parliament has done to the UK government's ability to force tech companies and telcos to introduce backdoors into their technologies is make it slower and a little tougher.
Does it prevent the UK government from breaking encryption? It absolutely does not. In fact, it foresees it.
Does it mean that customers will be made aware that their communications and traffic are compromised by a backdoor? No, it does not. All of the checks and balances are safely contained within the upper levels of government and the judiciary.
Based on what both the UK and US government have done in the past with all-encompassing orders that are time-based rather than product-based, and considering the fact there is nothing that says it has to be done on a case-by-case basis, it's a safe bet that the government will approve one-size-fits-all "technical capability" notices for specific companies.
Where will the balance between protecting consumers and providing access to law enforcement and security services lie? We will likely never know in any useful detail since no one is under any obligation to make that reasoning or argument available outside the small group of individuals that take the decision.
Nuts of it
Most critically, if a Cabinet minister decides she wants a backdoor to be introduced into some software, is there anything that can stop him or her? The answer to that is almost certainly no, except she can be slowed down and would likely make some concessions to move ahead.
If the Home Secretary and the Prime Minister both want a backdoor into some service is there anything that can stop them? Again, no, but a brave Investigatory Powers Commissioner could delay it for a few years.
And in the broader picture, will the UK government be able to force the likes of Twitter or Facebook or Google or Apple to introduce backdoors and/or hand over user data? And the answer to that is: let's wait and see.
The UK government can certainly insist that a company not based in the UK carry out its orders – that situation is specifically included in the new law – but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the UK market.
At the end of the day, will the UK security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
Will they do it for less than that? You'll have to ask probably the Home Secretary. ®