The UK's international snooping plan is probably going to end in failure, again

The UK wants to extend its surveillance legislation to cover foreign tech companies offering services in the UK -- but it's going to have a tough time enforcing it.
Written by Steve Ranger, Global News Director
UK prime minister David Cameron.
Image: Shutterstock
The UK government is making a dramatic expansion of its internet surveillance efforts, in the space of less than 18 months trying to bring international tech companies firmly under the remit of its spy legislation.

But the attempt is unlikely to succeed, like its other attempts to make overseas companies hand over their customers' data and communications.

Because millions in the UK now use services like Apple's iMessage and Whatsapp -- which are based outside of the UK and use strong encryption -- the UK government says there is a large, and growing gap, in the ability of law enforcement to intercept and read communications.

It has been trying to close this gap with updates to its internet surveillance regime.

The first big step took place last year with the Data Retention and Investigatory Powers Act 2014.

This piece of legislation -- rushed through Parliament because of a European Court of Justice ruling which would have limited UK surveillance powers -- significantly extended the powers of UK spies (even though the government said it would not).

Under it, overseas tech companies can be asked to hand over data about their customers' online communications, even if the company has no presence in the UK. The government insisted at the time that the UK's surveillance legislation has always implicitly covered foreign companies, something overseas companies have disagreed with.

The law also extended the definition of a "telecommunications service" to include companies which provide internet-based services, such as webmail, bringing many more companies under its remit.

Under this legislation, if a company is issued with a data retention notice by the Home Secretary, they are obliged to retain for 12 months certain types of communication data which can be used to pinpoint who was communicating, like the time of a message, the email addresses it was sent to and from, and potentially the location of the device used. However, to get at the contents of the communication, the text of an email or an online conversation still requires a warrant.

"Any company providing communication services to customers in the United Kingdom is obliged to comply with requests for communications data and interception warrants issued by the Secretary of State, irrespective of the location of the company providing the service," the government said at the time.

Because this law was hurried through Parliament, it also contains a sunset clause; it's due to be repealed on December 31, 2016. The government intends to replace it with the Investigatory Powers Bill which was unveiled last week.

This new law requires internet companies to store their customers' web surfing data for a year. And it says that this requirement extends to all companies providing services to the UK or in control of communications systems in the UK.

That means international communications companies would have the same obligation to store web history and communications data as those based in the UK.

It also specifically mentions encryption, specifying that communications companies have to be able to remove any encryption they have applied to the messages or data. The government argues that this is also implicit in previous surveillance legislation because it required tech companies to provide a provide "permanent interception capabilities".

It's an extension of spying powers that has tech companies worried.

Aaron Altschuler, Yahoo's associate general counsel, voiced concerns about the impact of the legislation beyond British borders.

"Of most concern to us at this stage is the UK government's proposal to affirm extraterritorial jurisdiction over foreign service providers. National laws cannot solve an international problem. If emulated around the world, the UK government's extraterritoriality clause would create a chaotic legal environment and unpredictability for companies, users, and agencies," he said.

Campaigning group Privacy International make a similar point: "Other governments around the world will follow the UK's lead; Britain must not send them in the wrong direction," it warned.

However, there's every chance that the legislation will still have little impact on foreign tech companies. That's because the UK government's attempts to apply legislation to them hasn't gone so well so far.

In his most recent report of July this year, the Interception of Communications Commissioner Sir Anthony May -- tasked with overseeing this form of surveillance -- said the new powers had so far made a very limited impact.

Despite the legislation, communications companies based outside of the UK have continued to insist that they cannot be forced to hand over communications data by threat of court action in the UK because they are outside of UK jurisdiction. While some are willing to hand over information in response to counter-terrorism, cases where there is a threat to life and child protection cases, they consider this to be voluntary.

Sir Anthony also said some overseas communications companies were also only handing over the contents of communications in very limited circumstances -- but that the government had not yet enforced that responsibility for a foreign company to comply with an interception warrant.

Mark Deem, a partner at law firm Cooley, said that technology is constrained by few boundaries: "Any attempt therefore to drive the behaviour of global technology companies to meet the political and legislative demands of a given market is likely to either result in a legislative over-reach or legislation which is fundamentally undermined by the inability to enforce it. The draft Investigatory Powers Bill, which was presented before the UK Parliament last week by the UK Home Secretary, is no exception."

He added: "How can the UK Home Secretary require companies (whether telcos, ISPs or other communications providers) based overseas to comply with an order? The bill itself acknowledges its own limitations -- extra-territorial entities need to have regard to the requirements of the bill, but cannot be compelled to comply."

Deem said it is little wonder that companies in the UK will be watching closely as the bill moves through Parliament to see if its requirements are made more onerous, which would be the potential game changer to relocate elsewhere and warned: "In its attempt to make the internet more secure, the extra-territorial limitations of domestic legislation in seeking to influence a global industry may yet provide the catalyst to weaken our domestic offering."

As it is draft legislation, there's still plenty that is unclear: for example the draft says is has to be 'practicable' for a company to hand over communications -- as Mike Conradi, a partner at law firm DLA Piper points out, a company which offers an end-to-end encrypted service could potentially argue that as it doesn't hold the keys itself, it would be impractical to hand over decoded communications.

But what has changed over the last year is the political rhetoric, for example with Prime Minister David Cameron warning that the new powers are needed to prevent the internet from becoming a "safe space" for terrorists and criminals.

Even so, enforcing this law against international tech companies would put the UK on a collision course with some of the biggest names in tech. Some might shrug and hand over communications, while others may refuse -- or even stop offering services in the UK. For example, Apple CEO Tim Cook earlier this week warned of "dire consequences" if the legislation passed requiring tech companies to put backdoors into their systems.

The big question is whether, once the powers are in place, the government will want to expend the political capital necessary to enforce it. Who do the public love more: their government or their iPhones?

More stories on surveillance and cybercrime

Editorial standards