May 16, 2017 | Mike Morel

The UK Government should protect encryption not threaten it

It is difficult to overstate the importance of encryption. A cornerstone of the modern digital economy, we rely on it when we use our digital devices or make transactions online. Physical infrastructure like power stations and transport systems are dependent on it too.

Department of Culture, Media & Sport

 Encryption also strengthens democracy by underpinning digital press freedom. Whistleblowers can’t safely reveal official corruption to journalists without it.

Laws restricting encrypted communications have generally been associated with more authoritarian governments, but lately proposals to circumvent encryption have been creeping into western democracies. Former Prime Minister David Cameron attacked encryption after the Paris attacks in 2015, and Home Secretary Amber Rudd MP recently said that there should be a way around end-to-end encryption on devices like WhatsApp.

As it happens, Amber Rudd already has legislation that claims to give her the power to tell WhatsApp to remove “electronic protection” (read “encryption”). She can issue a technical capability notice (TCN) which instructs commercial software developers to produce work-arounds in their software without outlawing or limiting encryption itself. Just over a week ago, ORG leaked a secret Home Office consultation on the draft TCN regulation, which gives more detail about how this power can be used.

To be clear, this goes way beyond WhatsApp. The Government wants access to all UK telecommunications encompassing a wide variety of services. Any organisation that facilitates communications among 10,000 or more users could be issued a TCN including email account providers, data storage services, games companies, and (they claim) even overseas operators with enough UK users.

The current ransomware outbreak shows how software vulnerabilities used by security agencies can fall into the wrong hands. There is no reason to think backdoors intentionally created for Government access could not be exploited as well. Why start a digital arms race when we may be releasing new weapons to criminals and hostile governments?

The lack of transparency surrounding TCN’s is another problem. The regulation makes no mention of oversight or risk assessment mechanisms, and the consultation’s secrecy reduces accountability even more. Sometimes the Government has good reason for secrecy, but this is not one of those times. When digital services are compromised, people must know because it affects their privacy and security and everyone has a right to protect themselves.

Business owners should be concerned because their products and customers could be seriously affected, and the process by which they might appeal a TCN is unclear. The only real grounds for complaint appears to be “feasibility” — and many things may be ‘feasible’ but a very bad idea.

From securing the economy to underpinning press freedom, the need for strong encryption is vital. We alter it at our own peril, especially if we do so in secret. Tell the Home Office yourself before the secret consultation ends on 19 May.

See ORG’s detailed breakdown of the TCN regulation here.