A little moredetail has emerged about howa key componentof thecontroversial UK surveillance law, the Investigatory Powers Act, which was passed at the end of last year, is likely tofunction after a government consultation document on so-called Technical Capability Notices was published yesterdayby the digital rights organization Open Rights Group.
Technical capability notices refer tothe statutory instrumentby which the U.K. government will be able to place obligations on ISPs and communications services providers to ensure government surveillancecapabilitiesset out in the legislation are able tofunction.
The draft documentsets out requirements for communications services providers to maintain a capability to be in a position to hand over de-encrypted data in near real time when served a warrant by a government agency, and to have the capability to intercept simultaneously comms and metadata for up to 1 in 10,000 of their customers.
The regulation also specifies that ISPs must consider the obligations and requirements imposed by any technical capability notice when designing or developing new telecommunications services or telecommunication systems.
Its not clear when the requirementswill comeinto force. The document notes the regulations may be cited as the Investigatory Powers (Technical Capability) Regulations 2017 but a place fora date for when they come into forceremains blank, presumably as the consultation, which runs until May 19, continues.
As The Register reported yesterday, this isatargeted consultation, focusing on the industry entitieslikely to be subject to such notices. The document has also already been seen by the Home Office Technical Advisory Board whose members include individuals from Lockheed Martin International, O2,BT, BSkyB,Cable and Wireless, Vodafone and Virgin Media as well as certain unnamed governmentagencies who would be making use of the powers.
Someof these details were already teased out during a committee session on the Investigatory Powers billin the House of Lords last summer. Speaking on behalf of the government then, Lord Howe said:Law enforcement and the intelligence agencies must retain the ability to require telecommunications operators to remove encryption in limited circumstances. Subject to strong controls and safeguards to address the increasing technical sophistication of those who would seek to do us harm.
However, now, as then, its still not clear whether or notthe government is explicitly outlawing end-to-end encryption, given thata provider thatdoes not hold encryption keys (e.g. WhatsApp) would not be able to hand over de-encrypted data (and would therefore, at least technically, be falling outside the law) and thus whether or not it will try to use the Technical Capability Noticesto force companies not to use E2E encryption, or else build in backdoors (as critics havewarned).
While the vague wording of the legislation, and the equally vague responses of government ministers, suggests it could technically be outlawing E2E encryption, the governmenthas notexplicitly stated that is the intention.So,as U.K. cyber security professorEerke Boitenputs it: Were still stuck on whether applied by or on behalf of covers E2E where the relevant operator doesnt have the keys.
Speaking to TechCrunch, Boitenadded: I agree that the best and likeliest interpretation of that is that they do have the power to tell relevant operators not to use E2E but theres no final answer from government.
Its very important to note that the question got asked and asked again [during bill committee sessions], and that the answer was avoided, but the net effect is that we dont know any better whether they hold the view that they could use it to ban E2E or not.
And the net effect of that fuzziness is continued uncertainty for U.K. citizens and businesses, and a knock-on erosion of trust in the security of domestic digital services if people think they might come with government-mandated, exploitable backdoors.
Nor is that the only potential collateral damage here; democracy is also taking a hit if we cant decryptthe legislation on encryption.
Making this point, Boiten flags prior comments made by QC David Anderson, the governments independent reviewer of terrorism legislation,on the older patchwork of U.K. surveillance legislation (RIPA) that the IP Act was intended to update and replace. In a2015report on government surveillance capabilities, Andersonwrote: The desire for legislative clarity is more than just tidy-mindedness. Obscure laws and there are few more impenetrable than RIPA and its satellites corrode democracy itself, because neither the public to whom they apply, nor even the legislators who debate and amend them, fully understand what they mean.
Which sure looks likeintentional and undemocratic obfuscation.
The current U.K. government also only recently published what appear to be the final versions of its operational cases setting out justification for the intrusivesurveillance powers set out in the IP Act likely putting theseonline ahead of civil service purdah after the Prime Minister called a surprise election for June 8.
Commenting on theoperational cases, the Open Rights Groups executive director Jim Killock objected toanother lack of specificity:The updated operational case for communications data shows again just how extensive the governments surveillance regimes is, with a large number of government organisations and local authorities being able to access our personal communications data.
Last month thegroup alsocalled on the government to state how it will respond to a ruling by the European Court of Justice (CJEU)last December that general and indiscriminate retention of comms data is illegal which ORGargues calls into question the legal basis for the current data retention regime. (The CJEU ruling pertains toa legal challenge brought againstDRIPA, an earlier piece of surveillance legislation thatsunsetted at the end of 2016, but whichthe IP Actwas introducedto replace.)
The U.K.s new surveillance regimeincludes a provision requiring ISPs to collect and retain comms data on all their users for a period of 12 months effectively logging the web browsing activity of all U.K. citizens in order that individual warrants couldbe served against this data up to a year afterwards. So, once again, thats a general and indiscriminate data retention requirement.
The CJEU said that blanket data retention was not permissible and should only be used for serious crime. It also said that there needed to be independent authorisation for access to communications data. The government has yet to respond publicly to this ruling. Its vital that the government clarifies its position before the election, said Killock last month.
It does not appear thatthe government has clarified its position on that front either.Weve reached out to the Home Office to ask for its response to the rulingand will update this story with any response. But with the Brexit negotiations for the U.K. to leave the European Union having been startedthis spring, the governmentmay now be hoping to kick the CJEU rulinginto the long grass as it worksto take the U.K. out ofthe jurisdiction of the court.