A new US-UK data agreement is worrisome but it won’t give access to encrypted comms

A new treaty between the US and UK will require social media companies like Facebook to hand over private messages but, contrary to recent reports, will not break end-to-end encryption or force them to add backdoors to their software.

That’s the upshot of a weekend of frantic commentary and debate over the CLOUD Act, which will likely be signed next month. The legislation is troubling, especially since it will legally require tech companies to hand over messages when requested by the authorities - an approach that has been wildly and consistently abused in the past - but it will not force those companies to provide them in a readable format.

The confusion is understandable: the security services have been pushing hard for the new legislation and have talked about the law allowing them to place "virtual crocodile clips" on modern forms of communication such as encrypted chat and call apps.

But there is a significant degree of justification behind the law, at least in concept. Currently, authorities in the US and UK are required to fall back on a law from the 1980s in requesting electronic information on criminal suspects.

That causes significant delays in the provision of potentially important information because it requires UK authorities to go through the US courts to get the information, and vice versa. The CLOUD Act will make that information exchange much faster.

Advocates of the law have been flagging notable cases, such as the murder of 13-year-old UK citizen Lucy McHugh. In that case, the man suspected of murdering her, Stephen Nicholson, had interacted with the girl through Facebook Messenger and the authorities wanted to know what was in those messages, for obvious reasons.

In the end, Facebook - which is based in the US - only handed over a log of the messages, with no content, and that log only arrived on the day the trial started. It was very far from perfect; the only good news being that Nicholson ended up being convicted and jailed for life.

Defaults

Facebook Messenger does not have encryption turned on as a default - you have to select it - and as such, under the new law, the UK authorities would have had access to messages sent between the two.

The situation is different when it comes to apps like WhatsApp - also owned by Facebook, however. WhatsApp has end-to-end encryption turned on by default and that is what may have caused confusion in media reports at the weekend.

The head of WhatsApp, Will Cathcart, responded on Sunday to the reports, noting “we were surprised to read this story and are not aware of discussions that would force us to change our product.”

He added: “We believe people have a fundamental right to have private conversations… We will always oppose government attempts to build backdoors because they would weaken the security of everyone who uses WhatsApp including governments themselves. In times like these we must stand up both for the security and the privacy of our users everywhere. We will continue do so.”

A lengthier analysis by former Facebook CISO Alex Stamos on Twitter digs into the history of the new CLOUD Act, the current situation and what will change under the new law. In a nutshell, it will give the UK authorities the right to issue a request that is equivalent to that of a US court; and the US authorities to do the same for a UK court.

Right...

But, crucially, it will not give either country additional rights. So the US courts are not (currently) allowed to force a company to unencrypt messages, or install backdoors in their software to do so, and so neither will the UK authorities be allowed to do so.

There are also some additional safeguards: US authorities will only use their new powers to investigate cases based in the US; and UK authorities only with the cases in the UK. Additionally, the US authorities have agreed that no information provided by the UK can be used as evidence in cases where the death penalty is under consideration, which isn't really an issue as capital punishment has been banned in the UK since 1969.

That doesn’t mean that the CLOUD Act is all good news however. The NSA in the US and GCHQ in the UK have a long history of abusing the law, often through secret interpretations of it, in order to gain as much access as possible to private citizens’ communications.

It is a virtual certainty that the security services have attempted to introduce language - and likely have succeeded in doing so - that they are confident they can later re-interpret in a way that grants them greater access than was envisioned.

You only need look at the aftermath of the Snowden revelations and the ridiculous interpretations that still exist within current spying programs in both the UK and US to see what direction the law is headed.

That said, it is equally ridiculous that in the internet era - where people’s use of social media is instant and seamless - that people investigating serious criminal matters cannot gain access to vital evidence because the company that offers the communication service is based in a different country.

In that sense, the CLOUD Act will not help bring laws that everyone is comfortable with into the digital era. And it does extend or expand powers beyond that. At least not on paper and not yet. ®