The UK government’s message about the use of end-to-end encryption still remains deeply unclear.
The government’s controversial web surveillance legislation continues to make its way towards being law, but what it will mean for the use of encryption in the UK still remains murky.
During scrutiny of the Investigatory Powers Bill in the House of Lords last week the government took a rather vague stance on whether end-to-end encryption would be allowed to be used in the UK, suggesting that while it did not want to ban it, it wanted tech companies to have some way of decrypting those communications.
While some tech companies do have the ability to decrypt their customers conversations – largely because they need to analyse it themselves so they better-targeted their customers with advertising, not all can.
Companies such as Apple and Whatsapp offer end-to-end encrypted communications to customers, which means only the sender and the recipient are able to read it. This worries police who say they need access to all communications to stop criminals plotting in secret. But privacy campaigners warn that undermining encryption would hurt security online and damage UK businesses – and that criminals would simply use encrypted services overseas.
When questioned by Labour and Liberal Democrat peers in the House of Lords, Earl Howe, defence minister and deputy leader of the House of Lords said: “If we do not provide for access to encrypted communications when it is necessary and proportionate to do so, we must simply accept that there can be areas online beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. That cannot be right.”
And when asked in particular about the use of end-to-end encryption he said: “We start from the position that we do not think that companies should provide safe spaces to criminals to communicate. They should maintain the ability, when presented with an authorisation under UK law, to access those communications,” before noting that the government will take into account of a range of factors, including technical feasibility and likely cost.
But when pressed on the particular issue of end-to-end encryption he added: “I was certainly not implying that the government wished to ban end-to-end encryption; in fact, we do not seek to ban any kind of encryption. However, there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication. It is not possible to generalise in this situation.”
If end-to-end encryption can be decrypted, it’s not end-to-end encryption. By one reading that would suggest the legislation will either deliberately or by accident ban the development of such security by UK companies. Quite how the government will resolve this issue of having its encryption cake and eating it is unclear.
In reality of course most encrypted services originate outside of the UK, and it’s unlikely that foreign companies would pay much attention to UK law; however UK-based services will be subject to the law and may be required to use less powerful encryption as a result.
However, the government has clarified another controversial element of the legisation, which also requires that internet companies keep details of the internet browsing of everyone in the UK for 12 months. This provision in the law goes much further than any other Western country in storing the behaviour of people online.
The government has now said these internet records can only be accessed to investigate offences serious enough that an offender can be sentenced to at least six months’ imprisonment, plus others such as offences related to stalking, cyberbullying and harassment which can, if not investigated, quickly escalate to more serious offences, as well as offences committed by corporate bodies–for example, corporate manslaughter.
However, some peers still questioned the need for storing these records at all: Liberal Democrat peer Lord Paddick — himself formerly a deputy assistant commissioner of the Metropolitan police said any terrorist or criminal who is the least bit technologically aware can easily and simply avoid giving away any useful communications data derived from internet connection records by using a virtual private network.
“If you use a VPN, the only internet connection record visible to law-enforcement agencies is the one connection to the secure server operated by the virtual private network provider,” he said and warned that records are “unacceptably intrusive on innocent people’s privacy“.