On 29 January 2017 the Investigatory Powers Bill (IPB) became law in the UK. It has been described by the likes of Edward Snowden as “the most extreme surveillance in the history of western democracy.”
Digital rights organization the Open Rights Group has obtained a leaked draft document. This is part of a closed government consultation on plans to put into practice some of the more controversial powers granted to it under the IPB.
These plans involve expanding the government’s surveillance capabilities in two key areas.
1. Mass realtime surveillance of Internet Service Providers and telecoms customers
According to the Draft Technical Regulations, the UK government will be able to intercept the realtime internet and phone data of one out of 10,000 citizens at any given time.
This mass surveillance capability will allow the government to monitor 6,500 citizens at any given moment in realtime.
Internet Service Providers (ISPs) and telecoms companies will be required to hand over this information “in an intelligible form,” within one working day. This includes encrypted content.
2. Introduction of” backdoor” access to encrypted products
ISPs will required to introduce backdoor access to their networks, so that they can remove encryption.
Based on previous comments made by senior government ministers, it is expected these provisions will also be applied to encrypted chat services such as WhatsApp, Facebook Messenger, and Apple iMessage.
This backdoor-ing of encrypted communications, in particular, is likely to be highly contentious. Not only is such a clear violation of individuals’ privacy ethically questionable at best, but it makes users less secure. A backdoor for law enforcement is also a backdoor for criminal hackers.
The proposals also raise major practical problems….
UK Companies Only?
Will the requirement only be enforced against UK companies? If so, then surely anyone who cares about privacy will simply use non-UK products? This would make such a law entirely ineffective at catching criminals or terrorists.
What it would achieve, however, is to destroy British technology businesses whose products rely on encryption. After all, why the hell would anyone choose to use a product that is known (or at least, can be assumed to be) backdoor-ed by the UK government?
This point is particularly relevant in the context of Brexit, because the tech industry is one business sector in which Britain is currently a world leader. Forcing UK-made encrypted products to include a backdoor must inevitably damage their market position.
The government could attempt to persuade companies such as Google, Facebook, Amazon, Apple, and Microsoft to cooperate with its plans, but what incentive would they have to do so?
This is especially true with the likes of Apple, which has strenuously resisted efforts by its own government to compromise its encryption. Microsoft, too, has recently shown little inclination to cooperate with the US government when it comes to spying on its customers.
If these US companies are unwilling to cooperate with the US government in this area, what hope does the UK government have of talking them round?
Alternatively, the UK government could attempt to force compliance with UK laws on international companies that wish to do business in the UK. However…
- The UK makes up a very small percentage of the global market. The damage done to international companies’ reputations by complying with UK demands would likely not be worth the relatively modest loss of income that withdrawing from the UK market would incur.
- Would the UK government really be willing to risk this happening? The financial cost to the UK economy could be near catastrophic.
- In addition to this, how would UK voters respond to news that they could no longer buy iPhones and Windows laptops, or access their Gmail accounts? There would be chaos!
What About Open Source?
The notion of effectively banning strong end-to-end encryption becomes even more laughable when we consider open source projects, such as OpenVPN or the Signal messenger app. These are among the most robust encryption products available, and can be downloaded from international servers by anyone with an internet connection.
Many open source programs are the result of community-led development. In the case of something such as Signal, which is developed by Open Whisper Systems, the non-profit nature of such software means the UK government has zero leverage in either persuading or coercing developers to comply with its rules.
Indeed, open source software can be audited to ensure that it has not been tampered with. If even a whiff of suspicion was aroused, it could be forked into new, untampered-with versions.
As laid out in the IPB itself, a warrant will be required before such surveillance can be carried out. This must be issued by a secretary of state and authorised by a special judicial commissioner.
These judicial commissioners, however, are a group of retired judges, hand-picked by the government. They will not have the technological expertise or understanding of covert surveillance necessary to make informed decisions, so will effectively rubber-stamp ministerial edicts.
Their role, therefore, will simply be to ensure that the correct procedures have been followed. Even here, ministers can delay this minimal judicial oversight for five days simply by declaring the case “urgent.”
In theory, the government consultation that the leaked draft document is part of is open to comment from anyone. Responses must be filed with the Home Office before 19 May.
In reality, however, the government has done its best not to alert the general public about its plans. The document was only circulated among the UK government’s Technical Advisory Board and various government agencies such as MI5 and GCHQ. The Technical Advisory Board consists of representatives from six of the UK’s major telecoms companies.
It should be noted that the UK government is under no legal obligation to consult with anyone over its plans.
Despite the rather clandestine nature of the consultation, the plans outlined in the leaked document merely confirm that the government plans to push ahead with objectives already clearly laid out in the Investigatory Powers Act.
The fact that these plans are morally reprehensible and wildly impractical seems to be neither here nor there. If the government does succeed, it will critically damage UK technology companies and severely weaken the security of users of encrypted products.
It also means that UK citizens will be living in a surveillance state that would make George Orwell’s Big Brother proud.