UK government pushes for companies to weaken encryption

By EDRi · May 31, 2017

The terrorist attack in Manchester on 22 May has led to a relaunch of the encryption debate in the UK.

In December 2016, the UK parliament passed the Investigatory Powers Act. This wide-ranging surveillance law gives government ministers the power to issue Technical Capability Notices (TCNs), which can force companies to modify their products.These powers could be directed at companies like WhatsApp to limit their encryption. The regulations would make the demands to attack end-to-end encryption a reality, explained Executive Director of EDRi member Open Rights Group (ORG) Jim Killock. For this power to take effect, the government needs to pass secondary legislation.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

In early May 2017, ORG leaked the government proposals, which had been sent to a few companies for a “targeted” consultation. These included details of how companies with 10 000 or more UK customers could be compelled to modify the security of their products and services to enable interception and metadata collection. While this power already existed under the Investigatory Powers Act, the regulation provides much more detail about what companies could be compelled to do if they are served with a TCN. Potentially, these notices could be used to oblige companies to introduce backdoors to end-to-end encryption, or put in place other security weaknesses, with little accountability. ORG believes that proposals which could affect everyone’s digital security should be open to public scrutiny. ORG and around 1 400 of its supporters made submissions to the consultation, which closed on 19 May.

After the suicide bombing at the Ariana Grande concert in Manchester, there have been news reports that the government will try to rush this secondary legislation through parliament after the general election in June.

The Conservative Party’s manifesto also includes proposals that would see increased regulation of the internet. Internet companies would be responsible for deciding whether user posted content is legal or not, and subsequently taking it down. This would inevitably lead to an increased number of takedowns as companies err on the side of caution and would have a serious impact on free speech.

Response to Consultation on Regulations of Technical Capability Notices

Selective, secret consultations have no place in open Government (05.05.2017)

Home Office consultation: Investigatory Powers (Technical Capability) Regulations 2017

UK government attacks encryption … again (05.04.2017)

UK’s mass surveillance law being rushed through legislative process (09.03.2017)

UK Draft Investigatory Powers Bill: Missed opportunity (18.11.2015)

UK: Report of the investigatory powers review (17.06.2015)

(Contribution by Pam Cowburn, EDRi member Open Rights Group, the United Kingdom)