New UK spy powers will force companies to remove encryption

But a big question mark hangs over the head of Apple, Google, and other foreign firms, on whether they will be forced to "remove any encryption" when demanded.
Written by Zack Whittaker, Contributor
(Image: ZDNet/CBS Interactive, file photo)

The UK government wants companies to remove encryption on demand to help the authorities intercept data.

The new draft powers bill unveiled Wednesday by the UK home secretary, the biggest shake-up to the country's surveillance powers in the past decade, combines existing legislation with new statutes, in an effort to modernize powers for police and intelligence agencies.

Of the more controversial elements of the Draft Investigatory Powers Bill, the government is seeking powers to compel companies that operate in the UK to decrypt data with a warrant.

While overseas companies are exempt, they will still be obligated to turn over limited metadata, such as when a call or email was made, and who sent and received it.

But companies like Google and Apple which are based in Silicon Valley but operate in the UK may face pressure to turn over data regardless.

The bill notes that an existing 2000-signed law, the Regulation of Investigatory Powers Act (RIPA), requires communication service providers -- which includes tech firms -- to "provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the [company] to whom the notice relates."

The bill will "provide an explicit obligation" for companies to allow authorities access to data on their networks, such as "remote access to computers to downloading covertly the contents of a mobile phone during a search."

It said modern "sophisticated encryption" makes it difficult for the authorities to obtain user's data, adding that it may lead to "a loss of intelligence." That not only includes messages in transit as they traverse the internet, but also data stored on devices -- both at least in Apple's case are encrypted, and can't be decrypted by the company.

The draft bill comes more than two years after the Edward Snowden revelations of mass government surveillance were first published. Many parts of the bill, such as state-permitted hacking and storing internet user's browsing history, that will be explicitly legalized by the bill have been leaked in documents published by the former NSA contractor.

Other countries, including France and the US, have increased their surveillance powers in the wake of the disclosures.

Other parts of the new draft surveillance powers bill will make the "bulk collection" of data explicitly legal, while some protections are given to limited "sensitive professions," such as politicians and journalists.

Editorial standards