June 28, 2017
The United Kingdom is no stranger to policy debates over encryption. Since the early 2000s, U.K. lawmakers have debated encryption’s privacy and cybersecurity benefits, as well as the obstacles it can create for law enforcement and intelligence investigators. The recent increase in the availability of default device encryption and end-to-end messaging services (messaging apps where only the users have the keys to decrypt their messages) has led to growing concern by law enforcement and intelligence investigators about how best to address situations where only the subjects of investigations themselves may possess the keys to their encrypted data. These concerns have prompted renewed debate and lawmaking in the U.K. around encryption.
January 2015 saw the escalation of the encryption fight in a number of nations around the world, including the U.K. Not long after the introduction of default iPhone encryption in the U.S., and just days after the Charlie Hebdo shooting in Paris had renewed fears of terrorism across Europe, Prime Minister David Cameron spoke out. His comments suggested that there should be no “means of communication” which “we cannot read,” and were widely interpreted to suggest a legal ban on end-to-end encrypted messaging apps. These remarks sparked concern that the U.K. government was mounting an anti-encryption policy push. That same week, Cameron reportedly pressed the issue in a visit with U.S. President Barack Obama, demanding greater cooperation from Silicon Valley companies to support the U.K.’s anti-terrorism efforts.
In this climate of increased attention to encrypted communications, the bill that would eventually become the Investigatory Powers Act (IPA) was introduced in Parliament in late 2015. The Investigatory Powers Bill (as it was called before it was passed into law) sought to authorize sweeping new surveillance powers while forcing internet service providers (ISPs) to retain their customers’ records for 12 months. Nicknamed the “Snoopers’ Charter” by the press and civil society, the bill also explicitly authorized both targeted and mass computer hacking that a variety of British intelligence and law enforcement agencies had already been secretly engaging in for years. Most relevant to the current debate on encryption, it authorized cabinet ministers to issue secret orders to a broadly-defined set of communications service providers (CSPs) requiring that they create and maintain the capability to assist with lawful surveillance, including having the capability to decrypt their users’ encrypted communications. The final version of the bill passed in November 2016 despite strong criticism from some of the world’s biggest tech companies, a large number of civil society organizations, and three United Nations special rapporteurs.
The IPA came into force on December 30, 2016, but confusion over this law remains, primarily because it is still unclear whether, when, or how the government may use the IPA to compel providers to redesign their encrypted services to facilitate government access. Meanwhile, new domestic terrorist incidents, such as the March 2017 attack outside of the Houses of Parliament, prompted renewed statements against encryption from Home Secretary Amber Rudd, even before it was known if encryption played a role in the attacks. Theresa May, who was the IPA’s primary champion when she served as Home Secretary, is now Prime Minister, and her party’s manifesto for the recent election vowed to end safe spaces for terrorists online, which some have interpreted as referring to the use of encryption. Suffice to say, end-to-end messaging services and device encryption tools are likely to face resistance from government officials in the U.K. for the foreseeable future.
This paper aims to summarize the state of the encryption debate in the U.K., in order to enable comparison with similar debates in the U.S., Germany, and France, and to see what lessons from the British experience might be applied by advocates and policymakers that continue to defend encryption both in the U.K. and elsewhere. First, the paper will examine the U.K. laws and regulations in force today that impact encryption, trying to gauge the extent to which they may require the re-engineering of products to include backdoors or be used to prohibit encrypted products without backdoors (what we’ll collectively call “undermining encryption”).
The paper will then provide additional political background on the state of the debate, describing how it got to the point where it is now, identifying the parties to the debate and their arguments, and making predictions about the future of the U.K. encryption debate. It will end with strategic recommendations for advocates of encryption about how to address threats to encryption and how pro-encryption groups can be more effective.
About the Series
The right to use strong encryption technology—like the encryption that secures your iPhone or protects your Whatsapp messages—isn’t only under political attack in the United States. Governments in the United Kingdom, Germany, France, and other European countries have recently taken steps toward undermining encryption. In particular, a range of government stakeholders have been pressing for service providers to re-engineer their encrypted products so that they always hold a key to their users’ data—often referred to as a “key escrow” scheme, or “exceptional access,” or a “backdoor”—or to simply not offer such products at all.
Although these local debates have engaged a wide range of policymakers, privacy advocates, and internet companies,
they’ve been taking place largely in isolation from each other, with limited sharing of information, arguments, and
advocacy tactics between those countries’ policy communities. These papers will fill in some of those gaps by mapping
the legal landscape and political dynamics around encryption in various European capitals. This is the first of those
papers, focused on the encryption debate in the United Kingdom. The other papers in the series cover the encryption
debates in Germany and France.