Last week, the government of the United Kingdom proposed a bill that would codify and expand the surveillance powers afforded to UK intelligence and law enforcement agencies. The Draft Investigatory Powers Bill would consolidate current laws governing surveillance and police investigations, codify the UK government’s and courts’ interpretations of what those laws permit, and in some instances extend existing law to grant new powers to government.
Civil liberties advocates are up in arms about the bill, which has been nicknamed the “Snooper’s Charter.” The UK government has secretly monitored its citizens for years, but the Investigatory Powers Bill would grant official legitimacy to a surveillance regime that’s been called “sweeping,” “chilling,” and beyond Orwellian. As written, the bill would allow the authorities to compile records in bulk about Britons’ communications and digital activities, without due cause or meaningful oversight.
Section 189 of the bill would permit the UK Secretary of State to issue regulations obligating telecommunications service providers (which would include ISPs) to maintain the technical capability to remove encryption from “any communications or data.” The Secretary of State could then issue a notice to anyone subject to those obligations, requiring the recipient to take specific steps to comply. The bill also applies these regulations extraterritorially. That is, the Secretary of State would have the power to issue notices to “persons outside the United Kingdom” and to require actions to be taken outside the UK.
According to Ars Technica UK, Home Secretary Theresa May has stated that the bill doesn’t ban encryption. But that’s a half-truth. Permitting only encryption that can be removed means, as Edward Snowden commented on Twitter, banning “encryption that works.” Indeed, May went on to say that under the bill, Internet companies would be expected to “take reasonable steps” to provide data in unencrypted form when served with the legal process specified in the bill (which, as said, is not meaningful). The bill’s “technical capability” requirements would limit Britons to encryption products and services that they could not trust to keep their personal data secure.
What’s more, the bill’s extraterritoriality provision would require any telecom or Internet company doing business in the UK, whether based there or not, to weaken its encryption offerings for the British market. For an American company such as Apple, which (as we’ve covered) already offers encryption the company itself can’t remove, the bill would pose a difficult decision. The company could maintain a separate “removable” version of its encryption services for the UK. Or, if that option didn’t make business sense, it could decide to offer only the compromised version worldwide. Third, it could refuse to comply with the law. If so, the company would either have to stop doing business in the UK, or continue and be exposed to the civil and criminal penalties provided under Section 31 of the draft bill.
None of these are attractive options, and they highlight the negative policy implications of the Draft Investigatory Powers Bill’s encryption provisions. The law wouldn’t just be a raw deal for the British – it could have negative ramifications worldwide. The next few months will provide a crucial opportunity for advocacy by civil society groups to urge revisions to the bill before it comes up for a vote in Parliament in the spring. The Center for Internet and Society will be following that process closely, as we’re working to uncover and analyze the ways that governments around the world are attempting to use statutory authority to force decryption, obtain encryption keys, or demand backdoors.