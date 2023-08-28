UK Government Serves Up Possibly-Illegal Amendments To The Investigatory Powers Act
For years, the UK government has sought to expand its surveillance powers. And, for years, it has rarely been prevented from doing so. Sure, there’s been a bunch of bureaucratic inactivity and unforced errors (like Brexit) that make it a bit more difficult to push legislation through, but the UK government’s thirst for more power has never been slaked.
So, the push continues. The original IPA (Investigatory Powers Act) did a lot of damage to internet users’ security and placed plenty of burdens on service providers. But, because things like terrorism and the sexual abuse of children continue to exist, these key leverage points have been deployed repeatedly as supposed justification for things like breaking/criminalizing encryption and forcing service providers to collect and store massive amounts of data on their customers.
What never seems to bother those pushing these amendments is the uncomfortable fact that the powers they desire might violate existing laws in the UK and elsewhere in the world. The latest round of revisions have been opened up for public comment. One of the first to comment publicly is Ioannis Kouvakas of Just Security in an article pointing out how the proposed changes may be considered illegal outside of the UK.
Here’s what’s being proposed, as summarized by Kouvakas:
The proposed revisions include five objectives pertaining to changes in the notices regime within the IPA, the process through which the government can ask private companies to carry out surveillance on its behalf, such as interception of communications and equipment interference (hacking). The proposed changes to the IPA notices regimes include an obligation to comply with the content of a potential notice during the review period and before a notice is actually served, an obligation to disclose technical information about the company’s systems during the same review period, measures to strengthen the extraterritorial application of the notices and obligations for companies to give advance notice to the U.K. Secretary of State before implementing any technical changes.
As Kouvakas notes, the “notices and obligations” include things like breaking encryption — or at least weakening encryption to the point it can easily be broken if the government wants access. Introducing user security features requires notifying the Secretary of State. Not only that, but the language strongly suggests that even patching security flaws requires prior notification of the UK government, which gives the government the opportunity to reject proposed patches if it feels these fixes might interfere with its surveillance programs.
UK users’ security protections will be subservient to the government’s wishes and desires. Definitely not ideal. But the proposed changes go further. They demand extraterritorial cooperation — something that will violate international law and appears to be something the UK government simply doesn’t have the power to mandate. (Well, it has the power to mandate this, it just doesn’t have the power to force anyone outside of the UK to comply with the mandate.)
What’s being added here suggests the government isn’t happy that tech companies (most of them located in the US) have told the UK government they either won’t comply with these mandates or will simply stop offering their services in the UK.
The government’s insistence on the extraterritoriality of notices perhaps stems from the strong resistance it might have faced from companies refusing to comply with IPA requirements. As the text of the consultation highlights, “for our investigatory powers to remain effective against a backdrop of rapid technological change, companies must work openly and willingly with us…Additionally, we believe that it would be appropriate to strengthen the enforcement options available for non-compliance with the notices regimes. We propose to draw on existing precedent in wider UK legislation as a starting point for these options”
This addition would allow the government to engage in enforcement efforts that go beyond the (likely futile) civil litigation instigated by the UK Secretary of State. So most likely the levying of fines and fees against foreign service providers. Again, the UK government may not have the power to force any company to actually pay these fees, but it does make it easier to pass additional legislation that criminalizes use of these services or prevents tech companies from re-entering the market at a later date.
The effect on international law is more disturbing. In the wake of multiple revelations about abusive deployments of phone-compromising malware offered by a handful of tech companies, legislation has been introduced (and passed) elsewhere in the world that mandates proactive efforts to secure personal devices and eliminate exposed exploits. The UK government simply does not want this to happen, so it has set itself against the rest of European neighbors by attempting to mandate a hands-off (or, at least, an “ask permission first”) approach to device security.
Against this backdrop, the main issue Objectives 3 and 4 jointly pose is that the United Kingdom could breach international human rights law by, for example, preventing a communications services provider from either fixing security gaps in software through the provision of security updates or applying advanced protections such as end-to-end encryption to their services, at a global level. Specifically, these measures not only are unlikely to survive the necessity and proportionality test enshrined in Article 8 of the European Convention on Human Rights (ECHR), which guarantees the right to respect for private life, but they could also result in failure to respect the human rights of individuals located abroad.
Once again, this will have no effect domestically because the UK government has already decided it no longer wants to be a part of any union overseen by its European neighbors. But the extraterritorial demands proposed in the amendments place obligations on entities located elsewhere in the world, which the UK government believes should be complied with, even if its demands violate foreign laws.
What the UK government wants is global application of domestic policy. It wants service providers to violate laws in their home countries in order to comply with UK-specific mandates. It wants device makers and software developers to offer either UK-specific, pre-compromised versions of their offerings or simply to break everything for everyone everywhere just to make it easier for the UK government to engage in the surveillance it claims is essential to the nation’s survival.
Neither of these options are practical. Nor are they lawful — not as long as the UK government feels it can impose its will on entities located outside of its borders. But the UK continues to persist. And it apparently won’t stop until the rest of the world gives it what it wants.
We see the same pattern again and again: an ineffective policy is not repealed, as it would be logical to do, but doubled and tripled down on. See the US’s War on Drugs as a prime example.
Re:
Power, once given is rarely ever clawed back. In the case of the UK it’s often a case of “Well we don’t NEED these powers but we should have the ABILITY to just in case.”
Re:
“See the US’s War on Drugs as a prime example”
Those who profit off the suffering of others do not like ending the war on drugs, it was/is very profitable for them.
Re: Re:
Yeah, it’s fun to say that the war on drugs is over and the drugs won. But, there’s a lot of money in keeping it active so long as you don’t care about the people affected (and a lot of capital in blaming the refugees for the problems you caused in their countries, for example).
I giggle at the thought that the irrelevant island nation is going to try and force the rest of the world to play ball with their insanity. They expect everyone to play along, but the reality is that companies will just leave the UK entirely. From what I’ve heard, it sounds like most businesses are just waiting around for a reason to do so, anyhow.
Re:
Re: No reason to wait.
Brexit. Any decision for or against UK is no longer related to a decision about the common market.
As UK and EU rules continue diverging, there will be less and less reason to focus on UK, particularly when it tries being capricious: the gain is limited by the market size, and the pain is increasing.
Re:
Don’t be too sure about that as most of the rest of the world wants the same capabilities.
Re: Re:
Completely. But they’re all going to do it their own way. Nobody is going to listen to the UK of all countries.
Re:
The UK have just managed to get MS to restructure the Activision deal. It’s still the third largest tech sector in the world. So I wouldn’t be so sure about them not having any influence.
Re: Re:
Gone are the days when the Sun Never Set on the British Empire.
Attempting to enforce extraterritoriality now is a very foolish thing, likely to simply result in the UK being told to get bent.
Fuck it.
It really is time we just disconnect the submarine cables that connect the UK to the rest of the world and be done with it.
They’ve done nothing but demonstrate time and time again that they cannot be trusted when it comes to technology and the Internet.
Re:
So… who can be trusted when it comes to technology and the Internet?
Re:
I think you’d have a problem if that same standard was applied to where you live, however.
Thankfully FOSS is unaffected
If there’s no profit motive, there’s no way to dictate these changes.
RIPA was originally meant to make it illegal to make information unintelligible to investigating police by means of encryption, yet, the use of plausibly deniable steganography defeats it. If what the police see is intelligible, then it’s irrelevant if the police thinks there’s further hidden information.
The Digital Economy Act in 2010 was meant to end online piracy. It didn’t. In 2017, it was meant to restrict access to pornography, it didn’t. As of 2023, children can pirate as much XXX online as they like the same way us adults did when we were children (P2P, BitTorrent).
Now we have the IPA potentially “requiring” Home Office authorisation before new security features can be added to existing software products. This won’t work either because all the underlying features they wish to restrict are already decades old and are supplied as part of operating systems already, and will continue to be added for banking/financial/military purposes in a transparent way.
… And what it wants is to be told “No” in no uncertain terms. To be slapped down for overreaching.
Willingly
How would any of what they are proposing the companies be required to do ever be considered “willing” if they’re having to force the companies into it with legislation?
Re:
I interpreted that phrase to mean “We can’t keep up with rapid technological change.”
Oh, no! Anyway…
Lord Palmerston lives
They’re probably counting on Lord Palmerston sending a few gunboats. I’m pretty sure that’s the century the promoters of these ideas are living in.
Re:
The citizens – who are complete morons incidently – think that the passing of the Online Safety Bill will help “stop the boats.”
They deserve the shitstorm that’s going to hit them.
They really do.
Re: Re:
You’re not wrong in some terms, but if you’re going to blame the electorate for a government it helps to check if they actually had a popular mandate or not. When someone gets power with a minority vote (as the Tories have in the UK since 2010, and Trump did for his single term in the US), it seems wrong to blame them all for the outcome, since by definition a majority of them didn’t vote for it.
Some things are rather more complicated, even if you somehow believe that everyone who voted Tory is in favour of this bill.
Re: Re: Re:
All anyone in the UK needs to do is mention CSAM/CSEM and the people there just shut off their brains.
Do you want to kill your tech industry? This is how you kill your tech industry
Damn but the UK really wants to send itself back to pre-internet days when the telephone was considered the height of technological advancement….
Re:
Then when the UK hits the wall of reality they will backtrack.
Re: Re:
Judging by actions such as this I doubt it, they’ll likely just order what remains of their tech industry to ‘Nerd Harder!’ to get them everything they’re demanding since they’re being so very reasonable after all.
Re: Re:
Sadly not a guarantee. There’s many “walls of reality” hitting the UK right now, and the reaction from some is to blame the walls for being there instead of the people hurtling headfirst into them.
The problem, as ever, is a system that allows a minority government largely motivated by profit and an opposition to lower classes to remain in power. As someone who grew up in the UK in the 80s, this is typical Tory rubbish, and they’re probably working out how to scapegoat the next government for the problems they caused now that the general public seems determined to get rid of them again.
companies must work openly (in secret) and willingly with us
Can stop calling this the Online Safety Bill and start calling it what it really is? Nexit.
