A new US-UK data agreement is worrisome but it won’t give access to encrypted comms

CLOUD Act details surfacing in a fog of confusion

A new treaty between the US and UK will require social media companies like Facebook to hand over private messages but, contrary to recent reports, will not break end-to-end encryption or force them to add backdoors to their software.

That’s the upshot of a weekend of frantic commentary and debate over the CLOUD Act, which will likely be signed next month. The legislation is troubling, especially since it will legally require tech companies to hand over messages when requested by the authorities - an approach that has been wildly and consistently abused in the past - but it will not force those companies to provide them in a readable format.

The confusion is understandable: the security services have been pushing hard for the new legislation and have talked about the law allowing them to place "virtual crocodile clips" on modern forms of communication such as encrypted chat and call apps.

But there is a significant degree of justification behind the law, at least in concept. Currently, authorities in the US and UK are required to fall back on a law from the 1980s in requesting electronic information on criminal suspects.

That causes significant delays in the provision of potentially important information because it requires UK authorities to go through the US courts to get the information, and vice versa. The CLOUD Act will make that information exchange much faster.

Advocates of the law have been flagging notable cases, such as the murder of 13-year-old UK citizen Lucy McHugh. In that case, the man suspected of murdering her, Stephen Nicholson, had interacted with the girl through Facebook Messenger and the authorities wanted to know what was in those messages, for obvious reasons.

In the end, Facebook - which is based in the US - only handed over a log of the messages, with no content, and that log only arrived on the day the trial started. It was very far from perfect; the only good news being that Nicholson ended up being convicted and jailed for life.


Facebook Messenger does not have encryption turned on as a default - you have to select it - and as such, under the new law, the UK authorities would have had access to messages sent between the two.

The situation is different when it comes to apps like WhatsApp - also owned by Facebook, however. WhatsApp has end-to-end encryption turned on by default and that is what may have caused confusion in media reports at the weekend.

The head of WhatsApp, Will Cathcart, responded on Sunday to the reports, noting “we were surprised to read this story and are not aware of discussions that would force us to change our product.”

He added: “We believe people have a fundamental right to have private conversations… We will always oppose government attempts to build backdoors because they would weaken the security of everyone who uses WhatsApp including governments themselves. In times like these we must stand up both for the security and the privacy of our users everywhere. We will continue do so.”

A lengthier analysis by former Facebook CISO Alex Stamos on Twitter digs into the history of the new CLOUD Act, the current situation and what will change under the new law. In a nutshell, it will give the UK authorities the right to issue a request that is equivalent to that of a US court; and the US authorities to do the same for a UK court.


But, crucially, it will not give either country additional rights. So the US courts are not (currently) allowed to force a company to unencrypt messages, or install backdoors in their software to do so, and so neither will the UK authorities be allowed to do so.

There are also some additional safeguards: US authorities will only use their new powers to investigate cases based in the US; and UK authorities only with the cases in the UK. Additionally, the US authorities have agreed that no information provided by the UK can be used as evidence in cases where the death penalty is under consideration, which isn't really an issue as capital punishment has been banned in the UK since 1969.

That doesn’t mean that the CLOUD Act is all good news however. The NSA in the US and GCHQ in the UK have a long history of abusing the law, often through secret interpretations of it, in order to gain as much access as possible to private citizens’ communications.


GCHQ pushes for 'virtual crocodile clips' on chat apps – the ability to silently slip into private encrypted comms


It is a virtual certainty that the security services have attempted to introduce language - and likely have succeeded in doing so - that they are confident they can later re-interpret in a way that grants them greater access than was envisioned.

You only need look at the aftermath of the Snowden revelations and the ridiculous interpretations that still exist within current spying programs in both the UK and US to see what direction the law is headed.

That said, it is equally ridiculous that in the internet era - where people’s use of social media is instant and seamless - that people investigating serious criminal matters cannot gain access to vital evidence because the company that offers the communication service is based in a different country.

In that sense, the CLOUD Act will not help bring laws that everyone is comfortable with into the digital era. And it does extend or expand powers beyond that. At least not on paper and not yet. ®

Similar topics

Other stories you might like

  • It's the flu season – FluBot, that is: Surge of info-stealing Android malware detected

    And a bunch of bank-account-raiding trojans also identified

    FluBot, a family of Android malware, is circulating again via SMS messaging, according to authorities in Finland.

    The Nordic country's National Cyber Security Center (NCSC-FI) lately warned that scam messages written in Finnish are being sent in the hope that recipients will click the included link to a website that requests permission to install an application that's malicious.

    "The messages are written in Finnish," the NCSC-FI explained. "They are written without Scandinavian letters (å, ä and ö) and include, for example, the characters +, /, &, % and @ in illogical places in the text to make it more difficult for telecommunications operators to filter the messages. The theme of the text may be that the recipient has received a voicemail message or a message from their mobile operator."

    Continue reading
  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading
  • Microsoft adds Buy Now, Pay Later financing option to Edge – and everyone hates it

    There's always Use Another Browser

    As the festive season approaches, Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the US.

    The feature turned up in recent weeks, first in beta and canary before it was made available "by default" to all users of Microsoft Edge version 96.

    The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks.

    Continue reading

Biting the hand that feeds IT © 1998–2021