While the small matter of a new Prime Minister was dominating the headlines last week, the Investigatory Powers Bill was going through the next stage of its procession towards becoming law.Posted on 19 July 2016 - Government
On Wednesday, July 13, the same day that Theresa May replaced David Cameron as PM, the Investigatory Powers Bill was being discussed at the committee stage in the House of Lords. The draft bill was a central plank of May’s work in her previous role as Home Secretary.
For the uninitiated, the Investigatory Powers Bill is what is colloquially known as the Snoopers’ Charter. The bill was previously called the Draft Communications Data Bill, which was defeated after the Liberal Democrats refused to support it in the House of Commons in the last parliament.
At the start of the current parliament, May introduced the Draft Investigatory Powers Bill, which covers much of the same ground. We discussed its potential impact on our customers in this blog post.
One of the key concerns that has been expressed in relation to the bill is about the threat it poses to end-to-end encryption. The latest debate indicates that there are still questions to be answered over how encryption would be dealt with if the bill became law.
Minister of State for Defence, Earl Howe, sung the praises of encryption’s capabilities to protect each of us, before going on to suggest that the Government needs a way to circumvent it.
“Encryption keeps people’s personal data and intellectual property secure and ensures safe online commerce. The Government work closely with industry and businesses to improve their cybersecurity. However, law enforcement and the intelligence agencies must retain the ability to require telecommunications operators to remove encryption in limited circumstances—subject to strong controls and safeguards—to address the increasing technical sophistication of those who would seek to do us harm.
“Encryption is now almost ubiquitous and is the default setting for most IT products and online services. If we do not provide for access to encrypted communications when it is necessary and proportionate to do so, we must simply accept that there can be areas online beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. That cannot be right.”
We wrote in support of Apple recently - as they fought against an FBI demand that they should break their own encryption to allow access - because allowing a loophole for the authorities would also create a loophole for cybercriminals, too.
Some in the House of Lords committee debate understood this and recounted the advice of experts.
Lord Strasburger said:
“All the experts who gave evidence to the Joint Committee, and with whom I have discussed this matter since, agree that the phrase “removal of electronic protection” must include decryption of encrypted information and/or weakening of encryption in some way. They are deeply alarmed about it.
“Encryption is a vital feature of all the financial, commercial and personal activity on the internet. The Government have confirmed on several occasions, including in answer to questions in this House, that any weakening of our back-door access to encryption would threaten the entire operation of large parts of the digital economy. Once the integrity of cryptosecurity has been compromised for one set of users—in this case the Government—that weakness is available for everyone, including hackers, criminals, terrorists and hostile Governments, to exploit.”
The debate indicates there is an uncomfortable relationship between the technological policy at the heart of the bill and the advice of experts in the subject matter.
Responding to a proposed amendment that would “make[…] it explicit that a company would be required to remove the electronic protection only where it had the current capacity to do so and that it should not have to engineer it”, Howe seemed to suggest that there would be no FBI-style insistence on the breaking of encryption.
“Many of the biggest companies in the world rely on strong encryption to provide safe and secure communications and e-commerce, but nevertheless retain the ability to access the contents of their users’ communications for their own business purposes—and, indeed, those companies’ reputations rest on their ability to protect their users’ data. In many cases, we are not asking companies to do something that they would not do in the normal course of their business.”
But in the very same debate, he dismissed an amendment that would have clarified that situation.
He told the committee:
“This amendment is not necessary because the Bill makes absolutely clear that a telecommunications operator would not be obligated to remove encryption where it is not reasonably practicable for it to do so. It is important to highlight that the amendment would in many cases prevent our law enforcement and security and intelligence agencies from being able to work constructively with telecommunications operators as technology develops to ensure that they can access the content of terrorists’ and criminals’ communications.
“Depending on the individual company and circumstances of the case, it may be entirely sensible for the Government to work with them to determine whether it would be reasonably practicable to take steps to develop and maintain a technical capability to remove encryption that has been applied to communications or data.”