UK gov says new Home Sec will have powers to ban end-to-end encryption
Amber Rudd yet to emerge from blanket of ministerial double-speak
IPBill During a committee stage debate in the UK's House of Lords yesterday, the government revealed that the Investigatory Powers Bill will provide any Secretary of State with the ability to force communication service providers (CSPs) to remove or disable end-to-end encryption.
Earl Howe, a minister of state for defence and deputy leader in the House of Lords, gave the first explicit admission that the new legislation would provide the British government with the ability to force CSPs to “develop and maintain a technical capability to remove encryption that has been applied to communications or data.”
This power, if applied, would be imposed upon domestic CSPs by the new Home Secretary, Amber Rudd, who was formerly the secretary of state for energy and climate change. Rudd is now only the fifth woman to hold one of the great offices of state in the UK. As she was only appointed on Wednesday evening, she has yet to offer her thoughts on the matter.
Present at the House of Lords debate, the Liberal Democrat member Lord Strasburger complained that “the implication of what [the government] is saying is that no one may develop end-to-end encryption. One feature of end-to-end encryption is that the provider cannot break it; encryption is private between the users at both ends. He seems to be implying that providers can use only encryption which can be broken and therefore cannot be end to end, so the next version of the Apple iPhone would in theory become illegal. I think that there is quite a lot of work to be done on this.”
Earl Howe responded: “I was certainly not implying that the government wished to ban end-to-end encryption; in fact, we do not seek to ban any kind of encryption. However, there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication.”
As Labour member Baroness Hayter attempted to explain: “There will be times when state security undoubtedly needs access to encrypted information for a specific investigation. This is not the problem. The problem is whether the government would ever require a company to engineer such access, enforcing the company to create a model which, if then followed by other nations with perhaps less security than ours, would lead to a lowering of standards.”
Earl Howe stated that the government’s central point was that it did “not think that companies should provide safe spaces to terrorists and other criminals in which to communicate. They should maintain the ability when presented with an authorisation under UK law to access those communications”.
The admission follows Theresa May’s confession last November that, since the turn of the millennium, secretaries of state have been issuing secret directions under section 94 of the Telecommunications Act 1984, without any judicial authorisation. The first glimpse of oversight these received was published in a report by the Interception of Communications Commissioner’s Office (IOCCO) last week, which revealed that at least 23 directions were currently in effect on national security grounds.
Under the Investigatory Powers Bill, section 94 of the Telecommunications Act will be repealed, but secretaries of state will have the new power to issue national security and technical capability notices to much the same effect. Section 94, as Howe admitted, “has been used for a range of purposes, including for the acquisition of communications data in bulk” though these are now being codified in statute.
The oversight being introduced for these powers is an obvious improvement on the complete lack of oversight before through the new Investigatory Powers Commissioner, and in a recent amendment to the bill the government added the need for a Judicial Commission to approve both national security and technical capability notices.
Not all parties are completely satisfied, however, with IOCCO continuing to recommend — as explained in its evidence to the bill’s Joint Committee [PDF] — that an Investigatory Powers Commission, rather than just a commissioner, would be necessary for the purpose of providing a “clear legal mandate for the oversight body".
IOCCO explained that: “The reality is that the Judicial Commissioners will only be performing a very narrow part of the oversight – the prior authorisation of some of the more intrusive investigatory powers. The bulk of the oversight will actually be carried out by inspectors and staff within the Commission who need a clear legal mandate to require information from public authorities, to launch and undertake audits, inspections, inquiries, investigations and react in real time when non-compliance or contraventions of the legislation are discovered during an inspection.”
Speaking to The Register shortly before the debate, Lord Strasburger said: “It’s a tragedy that proper scrutiny and improvement of the Investigatory Powers Bill is not happening because politicians and the public are totally distracted by Brexit and the machinations of the two main parties.”
The bill, noted Strasburger, was “what David Cameron described as one of the most important bills of the entire parliament, but it’s progressing with not much attention from anybody. It is not receive the scrutiny and attention that it absolutely deserves, apart from the Liberal Democrats and a few cross-benchers in the House of Lords.” ®
Sponsored: DevOps and continuous delivery