UK surveillance law still fuzzy on decryption rules for comms providers

A little more detail has emerged about how a key component of the controversial UK surveillance law, the Investigatory Powers Act, which was passed at the end of last year, is likely to function — after a government consultation document on so-called Technical Capability Notices was published yesterday by the digital rights organization Open Rights Group.

Technical capability notices refer to the statutory instrument by which the U.K. government will be able to place obligations on ISPs and communications services providers to ensure government surveillance capabilities set out in the legislation are able to function.

The draft document sets out requirements for communications services providers to maintain a capability to be in a position to hand over de-encrypted data in “near real time” when served a warrant by a government agency, and to have the capability to intercept simultaneously comms and metadata for up to 1 in 10,000 of their customers.

The regulation also specifies that ISPs must consider the “obligations and requirements imposed by any technical capability notice when designing or developing new telecommunications services or telecommunication systems.”

It’s not clear when the requirements will come into force. The document notes the regulations may be cited as “the Investigatory Powers (Technical Capability) Regulations 2017” — but a place for a date for when they come into force remains blank, presumably as the consultation, which runs until May 19, continues.

As The Register reported yesterday, this is a targeted consultation, focusing on the industry entities likely to be subject to such notices. The document has also already been seen by the Home Office Technical Advisory Board — whose members include individuals from Lockheed Martin International, O2, BT, BSkyB, Cable and Wireless, Vodafone and Virgin Media — as well as certain unnamed government agencies who would be making use of the powers.

Some of these details were already teased out during a committee session on the Investigatory Powers bill in the House of Lords last summer. Speaking on behalf of the government then, Lord Howe said: “Law enforcement and the intelligence agencies must retain the ability to require telecommunications operators to remove encryption in limited circumstances. Subject to strong controls and safeguards to address the increasing technical sophistication of those who would seek to do us harm.”

However, now, as then, it’s still not clear whether or not the government is explicitly outlawing end-to-end encryption, given that a provider that does not hold encryption keys (e.g. WhatsApp) would not be able to hand over de-encrypted data (and would therefore, at least technically, be falling outside the law) — and thus whether or not it will try to use the Technical Capability Notices to force companies not to use E2E encryption, or else build in backdoors (as critics have warned).

While the vague wording of the legislation, and the equally vague responses of government ministers, suggests it could technically be outlawing E2E encryption, the government has not explicitly stated that is the intention. So, as U.K. cyber security professor Eerke Boiten puts it: “We’re still stuck on whether ‘applied by or on behalf of’ covers E2E where the ‘relevant operator’ doesn’t have the keys.”

Speaking to TechCrunch, Boiten added: “I agree that the best and likeliest interpretation of that is that they do have the power to tell ‘relevant operators’ not to use E2E…  but there’s no final answer from government.

“It’s very important to note that the question got asked and asked again [during bill committee sessions], and that the answer was avoided, but the net effect is that we don’t know any better whether they hold the view that they could use it to ban E2E or not.”

And the net effect of that fuzziness is continued uncertainty for U.K. citizens and businesses, and a knock-on erosion of trust in the security of domestic digital services if people think they might come with government-mandated, exploitable backdoors.

Nor is that the only potential collateral damage here; democracy is also taking a hit if we can’t decrypt the legislation on encryption.

Making this point, Boiten flags prior comments made by QC David Anderson, the government’s independent reviewer of terrorism legislation, on the older patchwork of U.K. surveillance legislation (RIPA) that the IP Act was intended to update and replace. In a 2015 report on government surveillance capabilities, Anderson wrote: “The desire for legislative clarity is more than just tidy-mindedness. Obscure laws — and there are few more impenetrable than RIPA and its satellites — corrode democracy itself, because neither the public to whom they apply, nor even the legislators who debate and amend them, fully understand what they mean.”

The key line there being: “Obscure laws… corrode democracy itself.” And when it comes to encryption, U.K. politicians have been failing to make their intentions clear for years now.

Which sure looks like intentional and undemocratic obfuscation.

The current U.K. government also only recently published what appear to be the final versions of its operational cases setting out justification for the intrusive surveillance powers set out in the IP Act — likely putting these online ahead of civil service purdah after the Prime Minister called a surprise election for June 8.

Commenting on the operational cases, the Open Rights Group’s executive director Jim Killock objected to another lack of specificity: “The updated operational case for communications data shows again just how extensive the government’s surveillance regimes is, with a large number of government organisations and local authorities being able to access our personal communications data.”

Last month the group also called on the government to state how it will respond to a ruling by the European Court of Justice (CJEU) last December that general and indiscriminate retention of comms data is illegal — which ORG argues calls into question the legal basis for the current data retention regime. (The CJEU ruling pertains to a legal challenge brought against DRIPA, an earlier piece of surveillance legislation that sunsetted at the end of 2016, but which the IP Act was introduced to replace.)

The U.K.’s new surveillance regime includes a provision requiring ISPs to collect and retain comms data on all their users for a period of 12 months — effectively logging the web browsing activity of all U.K. citizens in order that individual warrants could be served against this data up to a year afterwards. So, once again, that’s a general and indiscriminate data retention requirement.

“The CJEU said that blanket data retention was not permissible and should only be used for serious crime. It also said that there needed to be independent authorisation for access to communications data. The government has yet to respond publicly to this ruling. It’s vital that the government clarifies its position before the election,” said Killock last month.

It does not appear that the government has clarified its position on that front either. We’ve reached out to the Home Office to ask for its response to the ruling and will update this story with any response. But with the Brexit negotiations for the U.K. to leave the European Union having been started this spring, the government may now be hoping to kick the CJEU ruling into the long grass as it works to take the U.K. out of the jurisdiction of the court.