The government's encryption plans remain impossible to decipher
Communications services such as Apple's iMessage and WhatsApp use end-to-end encryption to protect their customers' communications from prying eyes.
The first serious look at the government's plans for a new internet surveillance law has demonstrated just how much confusion there still remains about the legislation.
The draft Investigatory Powers Bill was published by the government on November, after which the House of Commons Science and Technology Committee launched its investigation into the technical feasibility of the new law, taking evidence from a wide range of experts.
It has concluded that there is still confusion about some of the key elements of the proposed law: about exactly what information about our internet usage that the government wants to collect -- and the cost of doing it.
Those concerned about the contents of the legislation were quick to make similar points: campaigning group Privacy International warned again that the lack of clarity in the draft bill risks undermining security and privacy, and could damage not just the UK's technology sector, but in turn the larger economy.
It noted: "The committee's report shows that both small UK businesses and international companies like Apple should be, and often are, concerned about the draft Bill's potential to weaken encryption and sanction 'equipment interference', or government hacking."
Meanwhile techUK, which represents the tech suppliers in the UK made a similar point, and said more clarity was needed on fundamental issues, such as core definitions, encryption and equipment interference, meanwhile Liberty warned that the lack of clarity in so many aspects of the draft Bill "opens its provisions up to abuse".
In particular these groups and the MPs' report highlight the continued confusion about how to deal with the increasing use of encryption.
More communications services (Apple's iMessage and WhatsApp are among the biggest) are using end-to-end encryption to protect their customers communications from prying eyes. This means no unscrambled record of the conversation is kept by the company which runs the service: the only people that can read the message are the sender and the recipient.
Law enforcement agencies warn that such technologies mean that criminals can plot in secret, and the government has vowed that there should be no communications that it cannot (with a warrant) read, while campaigners argue such technology is essential to privacy.
While the government claims the new legislation doesn't place any new requirements on tech companies to provide their customers' communications in an unencrypted form, it does imply that requirement is already in existing legislation and so will be carried over (even if it has never actually been tested, or indeed much noticed).
The MPs' report agrees with the government that "in tightly prescribed circumstances", law enforcement and security services should be able to seek to obtain unencrypted data from tech companies -- assuming that such a demand is "clearly feasible, and reasonably practicable".
However, they also warn that there is still confusion about how the draft bill would affect end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption.
"The government should clarify and state clearly in the codes of practice that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied," it says.
If the government does as the committee suggests, it won't require mobile networks to be able to unencrypt such traffic (which is just as well as they couldn't anyway).
All of that makes a certain amount of sense, but won't help police or intelligence agencies get access to the sorts of communications data they want from any service that offers end-to-end encrypted communications. How does this match the government's rhetoric?
So what happens next? Does the government demand that the providers of such services should be provide unencrypted versions of customers' communications? Such companies may well argue that thanks to the way their systems are designed that it is neither feasible nor practicable to do so. They may well also point out that they (in the most part) aren't based in the UK either.
It is hard to see how the government's legislation will tackle this fundamental issue.
So why does all this arcane detail matter to anyone? Because every new technology brings new opportunities for surveillance. The use of encryption is one way to protect against that.
Making the right decision about how and when we are allowed to use such technologies will have significant repercussions for privacy, especially as the decision to give up on privacy is unlikely to be reversed: as Liberty points out: "The security services are not known for giving up powers once they have been introduced."
Read more on web surveillance
- The new art of war: How trolls, hackers and spies are rewriting the rules of conflict
- Inside the secret digital arms race: Facing the threat of a global cyberwar
- Surveillance laws need rethink, but bulk collection of web data will continue
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- The impossible task of counting up the world's cyber armies
- Encryption: More and more companies use it, despite nasty tech headaches