Following months of uncertainty and a few weeks of intense speculation and spin, the UK government has published its draft Investigatory Powers bill, a piece of legislation incorporating sweeping surveillance powers frequently described and derided as a “snooper’s charter”.
In a classic Home Office move, the department published not just 300 pages of the bill and explanatory notes, but also 26 further documents regarding the powers it contains. This deluge has led one privacy activist to describe it as a “denial of service attack” on privacy and civil society groups:
Indeed, several privacy organisations have declined to comment until they have had a chance to examine the documents’ wording. While more issues will no doubt emerge soon, several major problems are immediately obvious.
End-to-end encryption
Prime minister David Cameron’s recent comments about allowing “no safe spaces” for terrorists made it obvious that an attack on encryption was in the works. In the run up to the bill’s arrival the government hinted that while encryption wouldn’t be affected, “end-to-end encryption” – where a company or service allows encrypted communications between its customers without having the ability itself to access or decrypt those communications – would be banned. This attempt to obfuscate was neatly skewered by Edward Snowden:
Depending on the papers you read, the Home Office briefed ahead that either encryption would be banned, or no new restrictions would be introduced. And in fact they’re both right.
The most quoted bit from a report by David Anderson, the independent reviewer of terrorism legislation, was that one of the major planks of law governing state surveillance powers, the Regulation of Investigatory Powers Act 2000 (RIPA), had been:
Obscure since its inception … This state of affairs is undemocratic, unnecessary and – in the long run – intolerable.
Through a subtle interpretation of RIPA, the new draft bill manages to support both the claims, that encryption will be banned and that no new measures will be introduced. The bill states:
RIPA requires communications service providers [CSPs] … to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP.
Section 12 of RIPA does indeed indicate that the secretary of state may ask CSPs to do anything considered reasonable to ensure they are ready for interception. This could be interpreted as arguing that the government may require CSPs to not use or offer any encryption that they cannot themselves provide keys to access – no “end-to-end” encryption, in other words, or only that which includes backdoors that can be used to subvert encryption’s protections.
This is consistent with all the leaks: end-to-end encryption is banned, but there are no new bans (as it derives from RIPA 2000).
We should seriously debate the role of our internet service proviers, or ISPs, telecoms firms and increasingly, web and smartphone apps, as providers of strong end-to-end encryption. These firms do not need to be actually involved in every encrypted communication, only to facilitate establishing such an encrypted link. Should any communication that takes place over that link be considered “under the control” of the provider?
Make no mistake, banning end-to-end encryption is a bad idea, introducing information security and privacy risks. Also, by forcing a company to essentially know its customers’ business or have a means to do so, it will increase the commercial and legal risk those firms face in regards to their responsibilities for that data. Privacy-enhancing technologies need to be protected as a crucial and growing part of the digital economy, not stamped out as a recalcitrant reaction to demands for privacy.
Bulk interference, bulk data retention
Another seriously problematic aspect of the draft Investigatory Powers bill that may see communications firms fleeing the UK are powers of “bulk equipment interference” and “bulk data retention”. Together these provide a means so that if encryption cannot be broken, it can be worked around.
Bulk equipment interference refers to what the government would call “hacking” were it accusing someone else of it. Only this year did the British government officially admit its intelligence services interfered with equipment in order to obtain information. They did this by presenting, out of the blue, an Equipment Interference Code of Practice for consultation. Then, just as campaign group Privacy International was about to have its complaint against GCHQ’s hacking heard before the Investigatory Powers Tribunal, the government surreptitiously rewrote the Computer Misuse Act, retrospectively exempting GCHQ from the law that was the subject of the complaint. The new bill would create an explicit legal basis for this sort of activity from the security and intelligence services, along with some sort of expected safeguards.
Bulk data retention, what anyone else would call mass surveillance, will require ISPs to retain every user’s internet connection records for 12 months, recording which websites and services had been accessed and when.
Together these requirements would make great demands of ISPs and telecoms companies. Their ability to serve their customers and the demands of the government will be highly compromised, forcing them to assist the government in circumventing any encryption their customers use.
The end game is clear: one where internet users in Britain are required to trust only the actions and intentions of the intelligence services, the home secretary, and whatever oversight mechanisms are in place to preserve any sense of privacy.