TR Member Perks!

The full text of a draft of the Investigatory Powers Act, an authoritarian surveillance bill being pushed by UK prime Minister David Cameron, has been released to the public. In the days leading up to its release many sites were warning that the draft contained dangerous provisions that would threaten the privacy of communications and would force companies like Apple to put backdoors in their encrypted messaging services. It turns out those concerns were justified.

Many sites are prominently featuring in the headline the fact that the bill does not outright ban encryption, something which the government has been using to defend the bill from criticism. Even though it does not completely ban all encryption, it does require companies like Apple to decrypt communications if an agency like the GCHQ serves them a warrant. So this merely bans useful encryption. As long as companies have encryption weak enough to be broken or circumvented in some way, it’s allowed.

Strangely enough, many of the powers in the bill are claimed to already exist under current law and this is merely putting them together in a single piece of legislation for clarity. This include the requirement that companies must be able to decrypt any messages their services encrypt. The bill states, “RIPA requires CSPs to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.”

Another aspect of the bill that is raising concern is a requirement for ISPs to keep records of 12 months of Internet connection records. Home Secretary Theresa May defended the requirement stating, “If someone has visited a social media website it will only show they have accessed that site, not the pages they visited or what they said. It is simply the modern equivalent of an itemized phone bill.” However, Mike Weston, CEO of data science consultancy Profusio, disagreed with May’s comparison saying, “It’s more useful and more intrusive. You can tell quite a lot more about what people are looking at online than you can from an itemized phone bill.”

One silver lining in all this is the inclusion of a so-called double-lock in order for intelligence agencies to get a warrant for their snooping activities. Under the current law the Secretary of State has the authority to approve warrants for surveillance by these agencies. However this bill would add the requirement that warrants must be approved by a judge in addition to the Secretary of State. This addition of judicial oversight is a welcome change, even if most of the other provisions in the bill are awful.

It is also noteworthy that due to the intelligence sharing treaty between the US, UK, Canada, Australia and New Zealand, also known as the five eyes, any communications intercepted by the GCHQ will also be shared with intelligence agencies in the other four countries. This would apply to decrypted communications, ISP records, or anything else the GCHQ can get its hands on.

Is this law a threat to privacy, or is it okay? Leave your comment below.

Max Michael

Senior Writer

I’m a technology reporter located near the Innovation District of Kitchener-Waterloo, Ontario.

  • Blank Generation

    Christ. At least the US government has the sportsmanship to try and crack encryption instead of just making it against the law.

  • Fient

    This is…stupid.

  • Azure

    It can be a threat to privacy. But also wouldn’t the EU just turn around and say no you cannot do this like with the porn filter?

  • VRSmiffSteen

    NOT gonna happen. Before this type of global genocide if re-instated by the Brits, forces thru out the world will unite to eliminate. GCHQ WILL BE REDUCED TO RUBBLE.

    People simply will tolerate this level of intrusion.

  • AW

    Such a move would be render any compliant encryption method completely useless. Building intentional flaws like this into a protection method is like putting a storage cabinet door in the exterior wall of a castle and saying ‘The only people who have a copy of the key are all the people in here, so no need to guard this one’. Massive layers of protection with an easily accessible, flimsy, poorly protected access point.

    Nobody will even bother to try to crack the encryption, when a team of capable hackers will likely be able to get their hands on the universal key to the encryption within a week of it being available. There’s no way to protect the key when it has to be available to every cop, government agent, forensic technician, and every other official who could be able to demand access to encrypted records. That widespread availability of the key will make it easy for someone unauthorized to gain access to it, and once they do, it’ll be for sale as an exclusive on the dark web for a couple of days before one of the buyers just scatters it around the internet as a whole, making the key freely available to anyone who looks for it, and renders the entire encryption format worthless.

    You’re talking about giving encryption schemes viable lifetimes which are a fraction of the time it takes to develop one.