The UK Government faced a lot of backlash as it mooted banning strong encryption. Then word started to spread around that this was not what David Cameron meant when he said that he will pass legislation “that does not allow terrorists to communicate with each other”. Understandably, this has left everybody confused. So I decided to check the legislation.
Note - When discussing specific legislative clauses, I use the following syntax: s189(4)(c) refers to section 189, subsection 4, paragraph c of the Draft Investigatory Powers Bill. Unfortunately it only currently exists in PDF form, so you’ll have to scroll to the relevant sections yourself. Boo!
The Draft Investigatory Powers Bill doesn’t outright ban encryption, but it does certainly muddy the waters around the use of end-to-end encryption in the UK. s189 covers the “maintenance of technical capability”. s189(4)(c) places:
“obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data”.
We have to dig a bit deeper to learn how to parse this. A ‘relevant operator’ can be
“public postal services, or a telecommunications services”.
A ‘telecommunications service’ is:
“any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service”. - s193(11)
If you provide a telecommunications system then you can be served with a notice under s189 obliging you to remove any encryption that your service adds to communications. Before the Secretary for State can issue a notice, they must assess both the technical feasibility and cost of complying with the notice as specified in s190(3). One would think that this would prevent a notice being served for the removal of strong encryption, but if it doesn’t, it is possible to invoke the appeals process under s191. The Secretary for State may then consult both the Technical Advisory Board and Investigatory Powers Commissioner during appeals - who again will consider both the technical requirements and financial consequences of complying with a notice. During said review, you will be also be able to provide evidence to the Board and Commissioner, before the Secretary of State makes a decision to withdraw the notice.
So what does this mean?
Theresa May provided evidence to the Joint Committee on the Draft Investigatory Powers Bill, in which she stated (17:07:00 onwards) that the Government are believers in strong encryption. This Bill is simply repeating former legislation, albeit turning some secondary legislation into primary legislation. Therefore, the legal changes introduced by this Bill with regards to encryption are nil. The Home Office doesn’t care what type of encryption your service uses. They’re not interested in setting up a key escrow service. All they care about is that if they serve a s189 notice, you better be able to remove encryption.
Of course you have the chance to appeal. If you’re providing an end-to-end encrypted service, it is unclear if the cost of switching to a less secure encryption method will be defined as a reasonable financial cost of complying. s185 and s186 cover payments towards certain compliance costs, or developing systems enabling compliance, offering grants, loans, investments. Unfortunately, it does not provide financial cover for complying with technical capability notices. So in the current form, you’re on your own. There’s hope that the Technical Advisory Board (as defined in s183) will provide a pragmatic approach, given it is to include parties who would have obligations under this Bill.
I find this logic quite insidious. Any sensible compliance department will err on the side of caution and press to ensure that any encryption that their service provides can be removed, just in case they are served with a s189 notice. Some big names whose headquarters are outside of the UK might claim this law doesn’t apply to them and some smaller UK services may not bother, silently hoping that the UK government never comes knocking. But on the whole, such legislation doesn’t outright ban end-to-end encryption, it just makes it incredibly risky for a service to implement. In effect, they are spreading the culture of fear onto telecommunications service providers, whilst legally coercing them to weakening encryption for everyday users.
Finally, as I explained in my previous post on encryption, you’re still engaging in a game of legal whack-a-mole, chasing new services as they pop up. This is a bit of a mess.