The UK government has unveiled it’s new Investigatory Powers Bill (View it online), another attempt at the Communications Data Bill (nicknamed the “Snoopers Charter”) which was blocked in the previous parliament. With the new bill the government has confirmed that contrary to recent public statements, it does indeed plan to ban end-to-end encryption commonly used in messaging apps such as WhatsApp or iMessage.
Technically this isn’t entirely true - the bill does not explicitly ban encryption (as Theresa May has gone to great lengths to point out), however section 189 of the bill does obligate providers to comply with the regulations and facilitate handing over messages to whomever lawfully request those messages. What this ultimately means is that the services which Apple, WhatsApp and other similar operators provide, whilst technically legal, are implicitly illegal under the new regulations because should an order to intercept messages be placed upon the service provider, they would be unable to decrypt the messages passing through their service and and so would not be able to comply with the order and thus their obligations enshrined in these proposed new regulations.
Under the new regulations, the service provider is required to decrypt messages should law enforcement or anyone else duly authorised under the regulations requests access, however the likes of Apple and WhatsApp cannot decrypt messages even if they wanted to, and so those services are potentially illegal. Or, at the very least, service providers could theoretically be ordered to weaken the protection their systems offer in order to ensure that the providers meet their obligations under the new bill.
“Won’t someone think of the children!”
The government gives lots of reasons why they need this ability to access your private messages. Everything from crime prevention to tax avoidance, catching paedophiles, and of course terrorism. These are all very emotive reasons intended to elicit public support, but the reasoning is flawed. Banning encryption does not help prevent terrorism, or catch sex offenders, or any of the things they say it will. Let’s imagine a scenario…
Terrorist 1 “We should encrypt our emails so MI5 can’t find out our plans”
Terrorist 2 “Nah they banned encryption”
Terrorist 1 “Oh we best not then, we don’t want to break the law”
Clearly this scenario is completely ridiculous; anyone who is planning a terrorist attack is already breaking the law in doing so and they are not going to be the least bit worried about also breaking these proposed new laws restricting services utilising end-to-end encryption - they are obviously going to continue to use such a service anyway, and the same applies to any other criminal!
The only people who would comply with these new laws and not take steps to evade a ban on unbreakable communication methods would be perfectly innocent, law abiding citizens and companies - people whom the government insist that they have no interest in spying on.
Who is the service provider?
One of the problems with this law is that even if it was able to do what it claims to do and simultaneously put a stop to child abuse online and terrorism, it is simply impossible to implement.
For a start, who is the service provider that will be the subject of these orders? In the case of iMessage or WhatsApp it is fairly clear cut who the service provider is, but let’s say I’m a terrorist running my own mail server, or perhaps series of mail servers and utilising GPG encryption to secure my communications, who is the service provider?
Is it the company who provide the internet connection through which the messages my mail server processes are delivered? Or is the company who make the software that the mail server is running the provider? Or perhaps it’s the open source project that makes the particular implementation of PGP encryption (OpenPGP is defined by the IETF under RFC4880 and implemented by the Free Software Foundation in the GNU Privacy Guard project, the source code of which is freely available online to anyone) that I’m using? Or maybe the operating system who make the software the mail server is running on? In all those cases, the organisation in question doesn’t have access to the keys for the encryption that is being used, so even if they were determined to be the service provider there is nothing that they can do in order to provide decrypted copies of the messages. In this scenario the only person who has the keys is the person the government are trying to spy on, and if you’re a terrorist running your own mail server it seems unlikely that you would hand over the keys to your communications to the police or intelligence services.
They aren’t banning encryption…
As was said at the beginning of this blog, it should be noted that the government isn’t banning encryption - the government apparently have no problem with encryption being used, so long as they are able to read encrypted communications at will. To achieve this, the government will require that companies providing communication services are able to decrypt the messages being sent via their services. At the moment, this is technically and mathematically impossible - the encryption keys are entirely invisible to the users and the company who provide the service, so even if the service provider such as Apple wanted to comply with an order, they simply could not as they do not have access to the necessary keys, which are stored inside the device. Despite the protestations of the various tech companies who will be subject to this law, the government insist that they must have access to the communications people are sending.
There is a real world example of this desire for building a backdoor into something otherwise secure; in the USA the much hated Transport Security Administration (TSA) require that luggage passing through US airports is not locked, so that they can inspect the contents at will. If a bag is locked then they will simply cut into it and destroy the bag if necessary. Alternatively, passengers can use TSA approved locks that can also be unlocked with a master key which the TSA alone have access to. Or at least that would be the case were the design for the TSA master key not freely available online to download for 3D printing by anyone.
Encrypted communications are not much different to the luggage which the TSA demands access to; the only problem is that without that master key, the encrypted communications simply cannot be broken into, and therein lies the problem. Once you introduce a backdoor mechanism for gaining access, then that mechanism can be exploited by anyone; be it by the government overreaching the scope of their surveillance, or by the details of that mechanism being stolen - much like the TSA master key for luggage. Once you weaken a secure system in any way, it’s just that, weakened.
The solution doesn’t fix the problem
There are so many other reasons why this proposed law doesn’t actually fix the problem, in addition to the flaws already discussed.
First of all, it doesn’t actually do anything to solve the problem that it’s trying to address. If the government wish to catch terrorists, or paedophiles, or whoever they are looking for, then they aren’t going to do this by requiring access to encrypted messages via legitimate mainstream services. If the terrorists and other criminals know that the government has access to these services, then they simply won’t use those services! Most likely they will end up creating their own services based on already available open source encryption software which they can control. And it seems unlikely a terrorist run communication service is going to willingly hand over the encryption keys when ordered to do so. So in this scenario, the only people being watched are regular citizens who find themselves subject to indiscriminate surveillance.
Secondly, who is to say that the companies subject to these orders will even comply? An American company (such as Apple), operating a service from an American head office using servers based in America cannot be compelled to comply with laws in this country - and the British government is hardly going to ban the import of iPhones! Look at it this way; Google chose to shut down their China operation rather than be subject to Chinese laws and the Chinese government’s desire to filter Google search results and log Google’s customers in China.
Thirdly, why should the British government be allowed this type of access? If the Chinese or Russian governments were demanding access to unencrypted messages in a similar manner, then the western world would be outraged and cite human rights violations and oppression. Indeed, the western world frequently criticises governments like China’s for the extensive electronic surveillance of their citizens, and yet apparently it is now acceptable for the British government to do the same in the name of counter terrorism and crime prevention, arguments not too dissimilar to the justification China uses to monitor it’s citizens.
The only people it hurts are the innocent
Ultimately, with the new Investigatory Powers Bill the only people who are even remotely at risk of being spied on are low level criminals and innocent people. And with the scope of access being discussed where even HMRC or your local council can access the information, the only people the law is likely to catch are TV license fee avoiders, people overdue on their tax return, and perhaps the occasional burglar.
The new laws are designed to give the government blanket access to communications with little to no judicial oversight and the only positive impact it’s likely to have is the occasional low level criminal behind bars. The proposed laws don’t achieve what they are meant to achieve and what they do achieve is disproportionate not just in terms of financial cost, but also in invasion of the private life of ordinary citizens.
Freethought believes in your right to privacy
We wholeheartedly agree to your right to a private life, a right that is enshrined in the Human Rights Act, and we will do everything we can as a company, as employees of a company, and as citizens of the UK to protect your rights. We appreciate the need to fight online crime, and prevent the spread of extremism, but we question how much we as British citizens are prepared to give up in the way of our own liberties to win that fight, especially when what we’re being asked to give up, won’t have any measurable impact and will be largely ineffective.
Unfortunately, if laws are passed that compel us as a service provider to grant access to your data or to log your activity on our services, then as a British company we will have no choice but to comply with those laws, but rest assured that we will do everything we can to resist it.
We would urge you to write to your MP and tell them what you think about these proposals, you can find your MP and message them online at www.theyworkforyou.com