The right to use strong encryption technology—like the encryption that secures your iPhone or protects your Whatsapp messages—isn’t only under political attack in the U.S. Governments in the U.K., Germany, France, and other European countries have recently taken steps toward undermining encryption. Although these local debates have engaged a wide range of policymakers, privacy advocates, and internet companies, they’ve been taking place largely in isolation from one another, with limited sharing of information, arguments, and advocacy tactics between those countries’ policy communities. That’s why OTI has begun a series of papers that will fill in some of those gaps by recounting the legal landscape and most recent political rhetoric around encryption in various European capitals. Today we are releasing the first paper in our series, on the crypto debate in the United Kingdom, with additional papers on France and Germany to be published in coming weeks.
The U.K. is in many ways the frontline of the “crypto war” in Europe. Both David Cameron and Theresa May have called loudly for a means to access any and all encrypted communications, calls that have been intensifying over time as a continuing series of terror attacks has rocked the nation. At the end of 2016, the U.K. enacted a complete overhaul and expansion of its surveillance laws, called the Investigatory Powers Act (IPA), but the law raises more questions than it answers about how far the government can go in demanding that private tech companies assist with its surveillance.
In light of government leaders’ public demands for broad access to encrypted data, demands that have been widely read as a call for providers to insert surveillance backdoors into their products or to stop offering unbreakable encryption in their products, the key question becomes:
Can the U.K. government use the IPA—will it use the IPA—to require companies that currently offer unbreakable encryption to undermine that encryption?
The frightening answer is: we don’t know. And we may not have any way of finding out.
The IPA certainly contains new provisions authorizing the government to compel private companies to create and maintain the ability to ensure government access to communications that are carried over their services, via so-called “technical capability notices.” How these provisions might apply to encryption is unclear, however. The law applies broadly to any online service that enables people to communicate, and includes the power to demand the “removal of electronic protections.” That description would seem to indicate that end-to-end encryption is one viable target of this power.
The situation gets more complicated from there. To accompany the law, the government will release a set of Codes of Practice, and in the draft code around technical assistance, the government’s power to compel the removal of electronic protections is limited to cases where those protections were applied by provider itself or on its behalf. Yet this language is unclear: arguably, the user applies the encryption to his or her encrypted Whatsapp messages because that encryption happens on the user’s phone; the same argument could apply to the encrypted data on an iPhone. Yet one could also argue that because that encryption technology is offered and enabled by Facebook and Apple, respectively, then it was “applied” by them. Meanwhile, the government has done little to offer any clarity on this score. Although it has repeatedly disclaimed any intent to “require backdoors” or “ban encryption,” it also has carefully avoided clearly answering how exactly a company such as Facebook would have to respond to a technical capability notice demanding access to end-to-end encrypted Whatsapp messages, or Apple to a demand for access to encrypted iPhone data. Nor are we likely to find out, if and when such notices are served, since they are issued under a cloak of secrecy, and the recipients are gagged from discussing the notice or how they responded to it.
The IPA also codifies an extremely broad and vague new authority to hack into devices for both law enforcement investigations and foreign intelligence gathering, including explicit authorization for the hacking of devices in bulk, authority that will similarly operate under a strict layer of secrecy. In the U.S. debate, many have discussed targeted hacking of suspects’ devices as a less privacy-invasive alternative to demanding backdoors into every encrypted service and device. Yet it seems like the U.K. wants to have its cake and eat it too, by authorizing broad technical mandates as well as allowing untargeted mass hacking—making the U.K. the most hostile anti-encryption government in Western Europe, at least for the moment.
After analyzing the fight over the IPA’s passage and its meaning, and the history and politics around the encryption fight in the U.K., OTI came away with six key lessons for pro-encryption advocates both inside and outside the U.K.:
When fighting in Parliament on surveillance issues you need to build alliances across parties in order to make progress. Parliamentary systems raise different challenges than do US-style congressional bodies, because party members almost always are expected to vote as a bloc. Challenging a pro-surveillance majority therefore requires building strong multi-party coalitions.
British voters and policymakers don’t seem as concerned about government surveillance overreach as Americans (or Germans), so advocates need to focus on other arguments. Distrust of authority isn’t as strong of a cultural factor in U.K. politics. Arguments aimed at the economic and cybersecurity impacts of limiting encryption, as opposed to the impact on privacy rights, are therefore even more important.
The domestic British tech industry needs to be more deeply engaged on this issue. Arguments made by the U.S. tech industry run the risk of being disregarded by foreign governments as being techno-imperialistic or self-interested. That’s why it’s all the more important that the local tech industry (of which the U.K. has a robust and growing sector) carry the torch when it comes to driving home the impacts on local jobs and local economic development.
The community of digital rights-oriented NGOs focused on domestic policy in the U.K. is still small and needs more resources. Digital rights groups such as Privacy International and Liberty in the U.K. put up a great fight, but those groups and others like them could really use more staff and funding. The international community of philanthropic and corporate funders that support internet rights groups must find ways to get more resources to where they’re needed most, and right now they are especially needed in Europe.
The fight must continue in public—and in secret. The door to impact how the Investigatory Powers Act is applied to encryption hasn’t closed, but the fight needs to change gears. Public pressure can still influence how the government seeks to use its powers, while in private, recipients of orders under the IPA can and should challenge unreasonable demands via the IPA’s appeals processes and in the courts.
Alternatives to encryption backdoors must be discussed…carefully. There are a range of policy options that could help law enforcement adapt to changing technologies, and thereby reduce the pressure for backdoors. However, several of those options—like government hacking or making it easier for law enforcement to seek data across borders—have their own privacy implications. And as already noted, the IPA’s explicit allowance for massive government hacking hasn’t dampened calls to undermine encryption. So advocates should tread carefully when encouraging such options.