By Riana Pfefferkorn on February 23, 2023 at 5:01 pm
The UK Government is proposing to change the law to make it easier for them to prosecute those who sell or possess “sophisticated encrypted communications devices.” What are those? They’re the sorts of devices used in the Sky, EncroChat, Phantom Secure, and ANOM secure phone networks. (All of which led to numerous prosecutions after takedown operations by law enforcement, which makes you wonder why the government wants to ban something that’s proved so fruitful in catching baddies, but I digress.)
I don’t like this proposal, as I told Joseph Cox at Motherboard. (Joseph is a journalist who’s both British and, as the foregoing links reveal, has extensively covered secure phone networks and their infiltration by the police, including for his upcoming book on ANOM.) It would effectively turn owning or offering one of these devices into a strict liability crime. That’s because the only defense the proposal carves out is one that would be impossible for defendants to invoke in practice, due to the Government’s stance (which it states overtly in the proposal) that everyone who owns one is a criminal.
What’s the motivation for this proposal? On the face of it, two reasons: one, according to the proposal, the Government has found it just too hard to meet the burden of proof of convicting people who sell or own secure phones of a crime under the UK’s current laws. Therefore, it would like to just do away with that pesky burden so it can put people in prison more easily. Second, the Government says in the proposal that it can’t imagine any legitimate, legal uses for phones with extra security measures. So, it apparently would rather ban the devices than try to think of some. (No mention of the fact that its own officials’ phones have been hacked with spyware, which you’d think might interest the Government in other options, but I digress.)
However, it’s not even clear from the proposal which “sophisticated,” “bespoke” encrypted phones would be illegal and which wouldn’t. And the Government knows that it needs to get the definition right, or it’ll end up banning everybody’s mobile phone, now that strong encryption is the default for so many of our smartphones and messaging apps. (I’m not actually certain the UK Government doesn’t want to declare everyone a criminal, but I digress.) The devil, as usual, is in the details.
The Government is taking public comment on the proposals until March 21. You can submit your thoughts through this form. (It’s a weird form: some of the questions seem to be kinda-sorta soliciting self-incrimination from respondents? But I digress.)
Here's what I submitted. I submitted this as a member of the public in my personal capacity, not with my Stanford hat on, but I'm sharing it here (complete with the British spelling in the form and the American spelling in my responses).
Q1. Do you think that current offences are sufficient to tackle the issue of supply of articles for use in serious crime?
Yes, the current offences are sufficient.
Answering as to sophisticated encrypted phones: The Government’s proposal demonstrates that its problem isn’t with the offenses; it’s that the Government has trouble meeting its burden of proof “to the thresholds required to convict [people].” Therefore, the Government proposes to simply do away with the burden of proof and make offer, sale, or possession effectively a strict-liability offense. That’s undemocratic – which is to say, par for the course for the UK Government by this point.
To be sure, liability would require reasonable grounds to suspect the phone would be used in a serious crime. But the Government’s proposal says it can conceive of no ”need for anyone to use them for legitimate, legal reasons,” and pre-judges all users of such devices as “almost certainly criminal.” This indicates a lack of imagination, not a lack of legitimate uses. There are entire industries (legal services, healthcare, defense, human rights activism) where the ability to communicate securely is vital. Just ask the British politicians and victims of domestic abuse, such as those in the Johnson Government and the London-domiciled ex-wife of Dubai’s ruler whose phones were hacked with NSO Group spyware.
If the Government can simply declare by fiat that these devices are solely for illegitimate purposes and everyone who uses one is a criminal, then it follows that a seller or possessor of such a device could not reasonably suspect it’s for use in anything BUT serious crime. That’s what makes the proposal a strict liability offense in effect.
Q2. Which of the proposals for new criminal offences do you think should be pursued?
Q3. Which articles do you think should be listed for option 1? (low threshold and specified articles) (Please tick all that apply.)
Q4. Do you have any views on how any of the following articles should be defined?
· Sophisticated encrypted communications devices:
The definition is crucial. Where’s the line between “bespoke devices” and “commercially available mobile phones [and] the encrypted messaging apps available on them”? People must be put on notice of what is and isn’t criminal so they can comport their behavior accordingly. A lax definition coupled with strict criminal liability makes a mockery of due process.
As a foundational question: Does the Government propose to ban only the combination of device plus app(s)? Or will it be a crime merely to possess one or the other – a “bespoke” device OR a “bespoke” app?
Many “secure phones” are just heavily modified Android handsets. How much modification is too “sophisticated”? Is just removing the camera and/or microphone (as with Phantom Secure) enough? Relabeling messaging apps with a Calculator icon (as with Sky)? These changes are hardly "sophisticated.”
Which apps do you mean to ban? Will it be legal only to run apps downloaded from the Android or Apple app stores? Is it a crime to “sideload” an encrypted messaging app – or, heaven forbid, innovate by writing your own app, perhaps because you’d rather not use Big Tech’s?
If you get this wrong, you’ll end up criminalizing a lot of people whose only offense is using or selling a phone that is too abnormal for the Government’s official tastes. Either you’re an obedient consumer who uses what Samsung, Google, Apple, and Meta have to offer, or you’re a criminal. Good luck developing your moribund tech industry with that attitude.
Q5. Options 1 and 2 both tackle articles for use in serious crime. For the purpose of these options, what do you think “serious crime” should include?
Answering as to sophisticated encrypted devices: I don’t think these articles should be banned, so this question is not applicable. At any rate, I am American and thus too unfamiliar with these categories of offenses under UK law to comment here.
Q6. Do you think there should be a defence of “acting reasonably” available for these offences?
Answering as to sophisticated encrypted devices: The Government should have the burden of proving beyond a reasonable doubt that somebody sold/offered a device affirmatively intending that it would be used in a serious crime (however defined), or used their device to conduct a serious crime (i.e., the device was an instrumentality of the crime).
That is, there should be no need for a defense; the burden of proof should always be on the Government. But if there is one, it should be broadly construed and should carry a low bar to succeed, whereas the Government should have a high bar to convict.
What would the scope of the defense be? Will it encompass situations where the defendant sold devices mostly to “legitimate” (whatever that means) businesspeople, lawyers, domestic abuse victims, etc., but one of them later committed a crime? Must every seller undertake an in-depth background check of every potential customer, and anything less is “unreasonable”? Why put a higher burden on the sellers of secure phones than on the clerk at the local O2 Store?
Anyway, this defense is a fig leaf to cover up that this is a strict-liability offense. If the Government can’t conceive of any legitimate, legal use for such devices, how could an “acting reasonably” defense ever succeed, either for sale/offer or possession? What’s a sufficiently “legitimate” use to successfully invoke the defense, and who decides that? The whole concept is misguided. The presumption should always be of innocence, not guilt.
Q9. Outside of business, does your life involve the use of any of the following for legitimate activities? (Please tick all that apply.)
· Vehicle concealments
· Sophisticated encrypted communication devices
· Digital templates for 3D-printed firearm components
· Pill presses
If you selected any of the above articles, please explain the circumstances and how the proposed offences might impact you.
I have an iPhone with iMessage, WhatsApp, and Signal on it. I like to tweak the privacy settings to be more privacy-protective of my internet use, personal information, and location data. When I go to a political protest, I put it in airplane mode, in order to avoid unconstitutional surveillance by the police (e.g. through an IMSI catcher) on the grounds of my political activity.
Is my iPhone a “sophisticated encrypted communication device”? I have no idea, so I’m ticking the box and explaining myself, just to be on the safe side. Like I said, nobody can tell what you mean by that, so everybody’s at risk of criminal liability.
Q14. Do you think new civil powers should be available to allow seizure and forfeiture of articles intended for use in serious crime?
Q15. Do you have any comments, or further information or evidence to add to the impact assessment to inform these legislative proposals?
Secure phones have many legitimate uses. Past secure phone companies such as Silent Circle have catered to legal businesses. When a world leader needs a secure device, they don't invent a new one; they modify existing commercial off-the-shelf devices to suit their needs – just what you propose to ban.
The Government should take evidence from veterans of secure phone startups like Silent Circle, spyware hacking victims, military and defense representatives, etc.; from law enforcement about their experiences with EncroChat, ANOM, etc.; and from individuals (or their lawyers) who were caught up in those busts.
Taking evidence would help answer some crucial questions: Is the number of "legitimate" users truly a rounding error, compared to crime rings? In the investigations of EncroChat, ANOM, etc., what percentage of accounts (and conversations) turned out to be innocuous? Was there any pattern to the innocuous accounts (mobsters’ girlfriends, journalists, etc.)? Who sells these devices? How do the devices move about once they've entered the flow of commerce? If there’s an underserved market for legitimate users, should Government policy dissuade the creation of new devices to serve that market? Why did prior legitimate companies like Silent Circle go out of business?
Finally: One suspects these proposals are responsive to defense challenges in EncroChat and ANOM prosecutions – that really, they’re just the latest in the UK's long, ignoble history (RIPA, DRIPA, IP Act) of surveilling people, seeing that surveillance deemed illegal in court, then changing the law to legalize such surveillance going forward. For shame.