Backdoors and vetoes: New security powers will fatally undermine your privacy
When your new security law might undermine secure communications, something has probably gone wrong. Revisions to the Investigatory Powers Act, which regulates how law enforcement accesses otherwise private data including your communications, activity and location, are currently being considered in the House of Lords and risk achieving exactly that dubious outcome. Experts are looking at the proposals and concluding that they could undermine progress towards a more secure Internet.
To be clear, there are legitimate law enforcement requirements here and responsible businesses respond to their requests. There have been long-standing worries, though, about the potential for legislation to undermine privacy by restricting encryption or insisting on the creation of “backdoors” that give the government access. Weaker security ultimately leaves online systems more vulnerable to all kinds of attacks. It is impossible to just build a back-door for the “good guys” — once a vulnerability exists, it will be exploited.
However, the particularly dangerous part of the new proposals is the impact they could have on security and privacy improvements. The combination of notification notices and a power to insist that the services do not change without permission could give the Home Office an effective veto over product changes.
The idea is that this will prevent changes that might mean the security services lose access to data they want to access. There are obvious risks in giving the Home Office such broad and extra-territorial powers, though.
That power is going to lead to conflicts with changes that other regulators and governments are pursuing, with companies doing their best to comply caught in the crossfire. In other contexts, governments are pushing companies to hold less data about us and improve their protection including against sophisticated state-sponsored attackers. What are those companies supposed to do if other friendly governments are pushing them to make changes, but the Home Office is holding up the process? At a minimum, the Government should only be enforcing these provisions in the UK for UK users and it should make clear that companies will not be breaching the rules because they comply with requirements in other friendly countries.
It absolutely should be a priority for the Government to work with companies that can help them address diverse security threats online. The last thing any of us need is for a new security law to make that work harder.
More broadly it is going to hold up progress in improving and securing the digital services we all use everyday. The new regime will create practical obstacles that will slow down innovation and undermine the quality of digital services. We commissioned polling recently which found that people put a premium on protection for their privacy online with 50 per cent, for example, saying that privacy, data minimisation and end-to-end encryption was an important factor in deciding which messaging services to use. This is a priority for other parts of government too with the Department for Science, Innovation and Technology announcing new guidelines for business leaders, arguing that “cyber threats should be prioritised as a key business risk like financial and legal challenges”.
Investments in improving services will be deterred if there is a risk they are held up indefinitely by opaque Home Office objections with limited procedural protections. Important new security features, which need to move fast, might be the hardest to square with new bureaucratic delays. These delays will affect the regulated services beyond our borders and, for some affected companies, this is a big enough deal that they have made clear they might have to withdraw products from the UK market entirely, with the customers who love those services losing out.
The UK benefits enormously from its reputation as a safe market in which to invest. This and other regulatory impositions are undermining that hard-won good name. Security experts internationally are noticing what the UK is doing. Among our friends there is growing concern with Jim Baker and Richard Salgado in the United States, for example, writing that the proposal “jeopardizes data security and privacy”. At the same time, there is a risk that if we cannot establish that this is all done right we legitimize authoritarian regimes replicating these kinds of powers and using them to spy on and repress their citizens.
The proposed revisions to the Investigatory Powers Act are fixable. If Parliament is given proper time to review the bill, the risk of a veto on product changes and conflicts of law between the UK and other countries can be addressed. Proper procedural safeguards can be put in place.
It absolutely should be a priority for the Government to work with companies that can help them address diverse security threats online. The last thing any of us need is for a new security law to make that work harder.
Matt Sinclair is senior director, UK, of the Computer & Communications Industry Association