The Snooper's Charter still has an encryption problem: Parliament continues to grapple with end-to-end encryption in the Investigatory Powers Bill


With the majority of the country distracted by Brexit and the upheaval among the two major political parties - including the former Home Secretary and architect of the controversial Bill Theresa May becoming the UK Primer Minister - this vital legislation has not been quite so high on the news agenda.

However, discussions around encryption at the 13 July Investigatory Powers Bill committee stage debate could have a huge impact on personal and enterprise data security – in particular the ability to ban end-to-end encryption. You can read the entire debate here.

Earl Howe, minister of state for defence and deputy leader in the House of Lords, said it might be worth the government exploring if it’s possible to remove encryption altogether.

"It may be entirely sensible for the government to work with [communication service providers] to determine whether it would be reasonably practicable to take steps to develop and maintain a technical capability to remove encryption that has been applied to communications or data," he said.

Howe added the main concern is around providing criminals and terrorists with safe places in which to communicate, with encryption “almost ubiquitous” and the “default setting for most IT products and online services” – in spite of evidence that unencrypted devices have also been used for illegal means.

“If we do not provide for access to encrypted communications when it is necessary and proportionate to do so, we must simply accept that there can be areas online beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. That cannot be right," he said.

Read next: Snooper's Charter: What you need to know about the Investigatory Powers Bill

“Law enforcement and the intelligence agencies must retain the ability to require telecommunications operators to remove encryption in limited circumstances.”

No half measures

However, Nic Scott, managing director UK and Ireland at enterprise data security specialists Code42, believes there are no "half measures" when it comes to encryption.

"You either have encryption in place or you don’t,” Scott said in a statement to ComputerworldUK. “Once you create a backdoor for law enforcement purposes, you are also opening the door to other, potentially malicious, parties."

During the committee stage debate, Liberal Democrat life member Lord Strasburger took a similar line: "I want to emphasise—and anybody in the cryptography industry will spell this out—that you cannot have it both ways. Either encryption is secure, or it is not; it cannot be insecure for a small group of users and secure for everybody else.

“Once encryption is weakened, it is weakened for everyone and once this is done at the request of the government, it is available to all the people I listed earlier who would do us harm."

Ongoing concerns

Former Home Secretary Theresa May and privacy groups have clashed on encryption since the IP Bill was proposed last year. And the security services warned ‘over the top’ services like Apple’s iMessage and Whatsapp apply end-to-end encryption to all messages, meaning they can’t be accessed at all, even if requested by the government.

Strasburger returned to this issue during the committee stage debate: "One feature of end-to-end encryption is that the provider cannot break it; encryption is private between the users at both ends. [Earl Howe] seems to be implying that providers can use only encryption which can be broken and therefore cannot be end to end, so the next version of the Apple iPhone would in theory become illegal. I think that there is quite a lot of work to be done on this."

In December, the Guardian reported that Apple submitted a formal submission to the Bill committee, specifically about encryption, in December. It read: “We believe it would be wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat. In this rapidly evolving cyber-threat environment, companies should remain free to implement strong encryption to protect customers."

The joint committee for the Bill issued its report on 11 February, asking for clarification over the issue of end-to-end encryption, which the government still seems to be some distance away from.

The joint committee suggested that the government still needs to make explicit that communications service providers (CSPs) offering end-to-end encrypted communications or other un-decryptable communication services “will not be expected to provide decrypted copies of those communications if it is not practicable for them to do so”.

The government responded in March by saying the revised bill clarifies the government’s position on encryption, “making it clear that companies can only be asked to remove encryption that they themselves have applied, and only where it is practicable for them to do so”.

Earl Howe's recent comments show there is still a lack of clarity at this late stage in the Bill's passage.

Foreign powers

However, Lib Dem Lord Paddick argued that these notices aren't legally enforceable to companies outside of the UK (such as with WhatsApp, Google and Facebook Messenger).  He said that such notices have the “potential to act as a competitive disadvantage to UK technology businesses”.

“Instead of the power to force a company to remove encryption from a whole service or technology, alternative and more targeted powers should be used instead," he said.

Howe was bullish on this: "Many of the biggest companies in the world rely on strong encryption to provide safe and secure communications and e-commerce, but nevertheless retain the ability to access the contents of their users’ communications for their own business purposes—and, indeed, those companies’ reputations rest on their ability to protect their users’ data."

This gets to the very heart of the current debate over encryption and the Investigatory Powers Bill. There's the side that doesn't want to give criminals a safe space to communicate and then there are those who understand how end-to-end encryption works.

Copyright © 2016 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon