UK government accused of being misleading over new laws affecting encryption

Avatar

The British government has been accused of being misleading about the significance of new proposed powers that would allow security officials to intervene if technology companies planned on introducing end-to-end encryption to their messaging services.

Under the Investigatory Powers (Amendment) Bill, officials in Westminster would be able to issue notices to tech companies on a global basis, forcing them to inform the government before making any product changes that could negatively impact their ability to comply with a warrant.

The Home Office has argued that the legislation is simply an amendment to the existing Investigatory Powers Act (2016) and that it is “not about expanding the powers but about maintaining them.”

However a briefing note seen by Recorded Future News and sent to parliamentarians by techUK — the trade association representing more than 1,000 businesses in Britain’s technology sector, including Apple and Meta — warns that the Home Office’s description of the bill “does not reflect the true significance of the changes that are being introduced.”

The contents of the briefing note, which was attached to a letter sent to the Home Secretary last month, have not previously been reported. The letter, which has been published on techUK’s website, warns that the “changes would in effect grant a de facto power to [the British government to] indefinitely veto companies from making changes to their products and services offered in the UK.”

The briefing note states: “Our overarching concern is that the significance of the proposed changes to the notices regime are presented by the Home Office as minor adjustments and as such are being downplayed.”

It calls for “adequate time to thoroughly discuss these changes, highlighting that rigorous scrutiny is essential given the international precedent they will set and their very significant impacts,” and warns of the risk that the particulars of the update to the notices regime will not be scrutinized as the government currently intends to specify them in secondary regulations, which are not voted on by lawmakers.

The tech industry’s criticisms are not the sole incident in which the Home Office has been accused of a lack of candor over this legislation. In his statutory report into the Investigatory Powers Act, House of Lords member David Anderson described the Home Office as having only “alluded … in the broadest of terms” to a change that would allow GCHQ to monitor internet logs in real-time to discover and disrupt attempts at online fraud.

Anderson, whose report did not cover the new legislation’s powers for the government to issue notices to tech companies, wrote: “It is all the more important, in these circumstances, that any proposed extra condition … should receive proper pre-legislative scrutiny.”

Despite Anderson’s call for proper scrutiny, the bill is currently racing through Parliament. It was introduced to the House of Lords in November and, after a two-day examination in December, will be voted on later this month before progressing to the House of Commons.

The accelerated timetable is likely to in part be driven by a general election in the United Kingdom this year, which shortens the amount of time available for legislation to be considered in this parliamentary session. The date of the election has not yet been set.

Crypto Wars ad nauseam

The new legislation follows a vituperative exchange between the government and the wider technology industry during the passing of the Online Safety Act, which contained a provision that could require end-to-end encrypted messaging platforms to use “accredited technology” to identify particular kinds of content.

Technology companies, including Apple and Meta, claimed the provision risked nullifying the protections they give users and would expose sensitive messages to interception. They threatened to pull their services out of the country instead of compromise on the end-to-end encryption features they offer their users.

Following the publication of the Investigatory Powers (Amendment) Bill, the social media giant Meta announced that it had started rolling out end-to-end encryption as a default globally “for all personal chats and calls on Messenger and Facebook,” potentially foiling any government attempt to issue a notice once the power became available.

Meta’s move, which has been one of the most commonly cited concerns about encryption by the British government, provoked criticism from officials, with a senior member of the National Crime Agency warning it would “no longer be possible” for Meta to keep children safe on its platform. Meta has cited several tools that it argues would enable it to continue keeping children safe.

In the letter to the Home Secretary, techUK’s members argued that the proposed changes under the amendment bill were going to constrain product development and launches in Britain, and “could impede” tech firms from taking “immediate action to protect users from active security threats.”

A spokesperson for the Home Office told Recorded Future News that there was no intention for security patches to be covered by the notification requirement, and stressed that in a democracy decisions about security and privacy should be made by government and not multinational companies.

“We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption. But this cannot come at a cost to public safety, and it is critical that decisions are taken by those with democratic accountability,” the spokesperson said.

A techUK representative said that the trade association “supports the Home Office’s aim of ensuring investigatory powers are effective” and noted that alongside its members it had worked with the Home Office “to find a balance between security and privacy” during the passing of the original legislation.

However, they argued that in its current form the amendment bill “escalates the possibility of conflicts of law, potentially impeding technological advancements aimed at bolstering consumer privacy, integrity, and security.”

The trade association said it was committed to working with the Home Office again “to make targeted changes to the Bill that we have outlined in our letter. We believe that would allow the Home Office to achieve its stated aims while also striking a balance for government, businesses and citizens.”

TechnologyGovernmentPrivacyNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Previous Post

‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer

Next Post

Vulnerability laws create ‘bug bounties with Chinese characteristics’

Related Posts

VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. "Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to
Avatar
Read More

Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code. The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket,
Avatar
Read More