UK govt: No, really, we're not banning cryptography
The draft Investigatory Powers Bill debate goes on
IPB The UK government has restated it has no desire to ban strong encryption, nor will it require surreptitious access to communications, in a response to several accusations levelled against it.
In a response to a parliament.uk petition with over 10,000 signatures, the Home Office repeated that it "is not seeking to ban or limit encryption".
The statement continued to explicitly state that the government "recognises the importance of encryption, which helps keep people's personal data and intellectual property safe from theft by cyber means. It is fundamental to our everyday use of the internet".
"Without the development of strong encryption allowing the secure transfer of banking details there would be no online commerce," came the official line.
The statement added: "As Baroness Shields made clear in the House of Lords on 27 October 2015, the UK government does not require the provision of a back-door key, or support arbitrarily weakening the security of internet services."
The petition was launched by Adrian Kennard, the mouthy MD at niche ISP Andrews & Arnold. Referring to the government's response, Kennard stated "they are clearly confused".
A map showing the distribution of those who had signed the petition reveals the great weight of signatures originate from university towns. The only constituency that did not petition the government once on this matter was that of Rhondda in the south of Wales.
Kennard stated the use-case for requiring Communication Service Providers to "remove encryption that they have themselves applied from intercepted communications" made "no sense [as] why would you have an intercepted communication that is encrypted?"
This, of course, is likely to happen as telephone, email, and social media service providers will encrypt content during the course of its transmission through their systems, or while it's stored there, as per paragraph 13 of the draft Investigatory Powers Bill's Guide to Powers and Safeguards explains:
13. Interception is the making available of the content of a communication – such as a telephone call, email or social media message – in the course of its transmission or while stored on a telecommunications system.
In a section of his response titled "Explain it as you would to a child..." Kennard repeated the government's own arguments back to it. His specific concern was the government line that there "shouldn’t be a guaranteed safe space for terrorists, criminals and paedophiles to operate beyond the reach of law".
Such a safe space was inevitable because of cryptography, argued Kennard, adding that: "The fact that the government claim[s] to support encryption but still think[s] that it can get access to communications (with a warrant) means it basically does not understand what encryption is."
The government's position does not appear to dispute the necessity of cryptography nor show ignorance about the fact that both wrong-doers and law-abiding privacy-conscious citizens are using security-enhancing technologies.
The statement does not refer to end-to-end encrypted communications, but rather CSP-controlled data.
The statement all but confirmed the draft Investigatory Powers Bill would make no changes in regard to non-CSP applied encryption (emphasis is our own):
[W]e need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can, subject to a warrant which can only be issued using a strict authorisation process where it is necessary and proportionate, access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts.
There are already requirements in law for Communication Service Providers in certain circumstances to remove encryption that they have themselves applied from intercepted communications.
This is subject to authorisation by the Secretary of State who must consider the interception of communications to be necessary and proportionate. The Investigatory Powers Bill will not ban or further limit encryption.
How "clear" the oversight and how "robust" the legal framework will be remain core to debates about the draft Investigatory Powers Bill. ®
Sponsored: 2016 Cyberthreat defense report