UK Government Serves Up Possibly-Illegal Amendments To The Investigatory Powers Act

(Mis)Uses of Technology

from the I-thought-lawmakers-were-supposed-to-respect-laws dept

For years, the UK government has sought to expand its surveillance powers. And, for years, it has rarely been prevented from doing so. Sure, there’s been a bunch of bureaucratic inactivity and unforced errors (like Brexit) that make it a bit more difficult to push legislation through, but the UK government’s thirst for more power has never been slaked.

So, the push continues. The original IPA (Investigatory Powers Act) did a lot of damage to internet users’ security and placed plenty of burdens on service providers. But, because things like terrorism and the sexual abuse of children continue to exist, these key leverage points have been deployed repeatedly as supposed justification for things like breaking/criminalizing encryption and forcing service providers to collect and store massive amounts of data on their customers.

What never seems to bother those pushing these amendments is the uncomfortable fact that the powers they desire might violate existing laws in the UK and elsewhere in the world. The latest round of revisions have been opened up for public comment. One of the first to comment publicly is Ioannis Kouvakas of Just Security in an article pointing out how the proposed changes may be considered illegal outside of the UK.

Here’s what’s being proposed, as summarized by Kouvakas:

The proposed revisions include five objectives pertaining to changes in the notices regime within the IPA, the process through which the government can ask private companies to carry out surveillance on its behalf, such as interception of communications and equipment interference (hacking). The proposed changes to the IPA notices regimes include an obligation to comply with the content of a potential notice during the review period and before a notice is actually served, an obligation to disclose technical information about the company’s systems during the same review period, measures to strengthen the extraterritorial application of the notices and obligations for companies to give advance notice to the U.K. Secretary of State before implementing any technical changes.

As Kouvakas notes, the “notices and obligations” include things like breaking encryption — or at least weakening encryption to the point it can easily be broken if the government wants access. Introducing user security features requires notifying the Secretary of State. Not only that, but the language strongly suggests that even patching security flaws requires prior notification of the UK government, which gives the government the opportunity to reject proposed patches if it feels these fixes might interfere with its surveillance programs.

UK users’ security protections will be subservient to the government’s wishes and desires. Definitely not ideal. But the proposed changes go further. They demand extraterritorial cooperation — something that will violate international law and appears to be something the UK government simply doesn’t have the power to mandate. (Well, it has the power to mandate this, it just doesn’t have the power to force anyone outside of the UK to comply with the mandate.)

What’s being added here suggests the government isn’t happy that tech companies (most of them located in the US) have told the UK government they either won’t comply with these mandates or will simply stop offering their services in the UK.

The government’s insistence on the extraterritoriality of notices perhaps stems from the strong resistance it might have faced from companies refusing to comply with IPA requirements. As the text of the consultation highlights, “for our investigatory powers to remain effective against a backdrop of rapid technological change, companies must work openly and willingly with us…Additionally, we believe that it would be appropriate to strengthen the enforcement options available for non-compliance with the notices regimes. We propose to draw on existing precedent in wider UK legislation as a starting point for these options”

This addition would allow the government to engage in enforcement efforts that go beyond the (likely futile) civil litigation instigated by the UK Secretary of State. So most likely the levying of fines and fees against foreign service providers. Again, the UK government may not have the power to force any company to actually pay these fees, but it does make it easier to pass additional legislation that criminalizes use of these services or prevents tech companies from re-entering the market at a later date.

The effect on international law is more disturbing. In the wake of multiple revelations about abusive deployments of phone-compromising malware offered by a handful of tech companies, legislation has been introduced (and passed) elsewhere in the world that mandates proactive efforts to secure personal devices and eliminate exposed exploits. The UK government simply does not want this to happen, so it has set itself against the rest of European neighbors by attempting to mandate a hands-off (or, at least, an “ask permission first”) approach to device security.

Against this backdrop, the main issue Objectives 3 and 4 jointly pose is that the United Kingdom could breach international human rights law by, for example, preventing a communications services provider from either fixing security gaps in software through the provision of security updates or applying advanced protections such as end-to-end encryption to their services, at a global level. Specifically, these measures not only are unlikely to survive the necessity and proportionality test enshrined in Article 8 of the European Convention on Human Rights (ECHR), which guarantees the right to respect for private life, but they could also result in failure to respect the human rights of individuals located abroad.

Once again, this will have no effect domestically because the UK government has already decided it no longer wants to be a part of any union overseen by its European neighbors. But the extraterritorial demands proposed in the amendments place obligations on entities located elsewhere in the world, which the UK government believes should be complied with, even if its demands violate foreign laws.

What the UK government wants is global application of domestic policy. It wants service providers to violate laws in their home countries in order to comply with UK-specific mandates. It wants device makers and software developers to offer either UK-specific, pre-compromised versions of their offerings or simply to break everything for everyone everywhere just to make it easier for the UK government to engage in the surveillance it claims is essential to the nation’s survival.

Neither of these options are practical. Nor are they lawful — not as long as the UK government feels it can impose its will on entities located outside of its borders. But the UK continues to persist. And it apparently won’t stop until the rest of the world gives it what it wants.

Filed Under: encryption, investigatory powers act, surveiilance, uk