No, the government hasn't done a U-turn on encryption

Despite a few tweaks, the government's web snooping bill still targets the use of encryption -- but it is the other powers contained in the law that may worry privacy advocates more.
Written by Steve Ranger, Global News Director

New bill gives police and intelligence agencies the legal powers to hack into devices or networks, with a warrant, to gain access to communications.

Image: Getty Images/iStockphoto

One of the many controversial aspects of the Investigatory Powers Bill currently making its way through Parliament has been the focus on encrypted communications. The government has talked about using the legislation to make sure that police and intelligence agencies are able to read all communications in the UK amid fears that criminals are using encryption to cover their tracks.

But in the parliamentary debate, which accompanied the third reading the bill, Solicitor General Robert Buckland noted a change the legislation: "Following further engagement with industry, we have taken steps to address further concerns, and so amendment 86 will make it clear that national security notices cannot require companies to remove encryption."

This has lead some to think that the government has changed its position on encryption, and that the lobbying by Apple, Microsoft, and others has been successful. In reality that does not seem to be the case.

That's because even though national security notices no longer refer to encryption, companies that provide communications services (that might include traditional telecoms companies or ones that make messaging apps) can still be served with another type of notice, known as a 'technical capability notice'.

And this, among other things, can demand "the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data".

That is, the government can still ask companies to remove encryption from communications, although it is true this power has been watered down at least a bit, in that it now says when making such a request the government "must in particular take into account the technical feasibility, and likely cost, of complying with those obligations".

These requirements can also apply to companies outside of the UK under the legislation: "A technical capability notice may be given to a person outside the United Kingdom," which means it could still apply to companies which provide services from abroad: exactly the issue that big companies like Apple and Microsoft have been concerned about.

Still, the emphasis on technical feasibility and cost means the legislation is not as draconian as some feared: companies can argue that it's too expensive or too hard to remove encryption, or it breaks the law in their own country to do so.

And in reality it's extremely hard to see the British government would even have been able to make any company outside of the UK stop offering encrypted communications to customers in the UK, especially those using end-to-end encryption.

Even if it could, the criminals and terrorists it wants to track would likely move to other forms of encrypted communication offered by companies less willing to pay attention to requests from any particular government.

But it's also hard to see how the new law will achieve the aim stated by the Prime Minister in January last year: "But the question is, are we going to allow a means of communications which it simply isn't possible to read? My answer to that question is: 'No, we must not'. The first duty of any government is to keep our country safe."

In reality the encryption powers in the bill were always going to be hard to enforce in the UK and impossible to enforce abroad.

But it's worth remembering these aren't the only powers in the bill. If the powers around encryption won't have the expected impact, the powers around what is called 'equipment interference', otherwise known as hacking, are likely to. These will give police and intelligence agencies the legal powers to hack into devices or networks, with a warrant, to gain access to communications.

That could mean hacking a phone to switch on the microphone (handy for surveillance of a criminal gang) or even to target groups (the so-called 'bulk equipment interference' which could be used for surveillance of large groups outside of the UK). It could be that by focusing on the encryption powers in the bill, privacy campaigners have been worrying about the wrong thing.

Read more on web surveillance

Editorial standards