Yesterday, Open Rights Group received a leaked copy of the Government's draft technical capability notices (TCNs) regulation.
This is a ‘targeted consultation’ and has not been publicised to the tech industry or public. The Secretary of State is in fact not under any obligation to consult the public, but instead must consult only a small selection of organisations listed in Section 253 (6) of the Investigatory Powers Act 2016.
Executive Director Jim Killock said:
“These powers could be directed at companies like WhatsApp to limit their encryption. The regulations would make the demands that Amber Rudd made to attack end-to-end encryption a reality. But if the powers are exercised, this will be done in secret.
“The public has a right to know about government powers that could put their privacy and security at risk. “There needs to be transparency about how such measures are judged to be reasonable, the risks that are imposed on users and companies, and how companies can challenge government demands that are unreasonable.
“Businesses and the public need to know they aren’t being put at risk. Sometimes, surveillance capabilities may be justified and safe: but at other times, they might put many more people – who are not suspected of any crime – at risk.”
“Selective, secret consultations have no place in open Government.”
Technical capability notices (TCNs)
TCNs can be used to order companies with over 10,000 UK users to adapt their technology to enable intercept and metadata collection. While this power already existed under the Investigatory Powers Act, the regulation provides much more detail about what companies could be compelled to do if they are served with a TCN.
Potentially, these notices could be used to compel companies to introduce backdoors to end-to-end encryption, or put in place other security weaknesses, with little accountability.
The regulations state that companies could be forced to ‘modify’ their products in order to comply with Government demands.
The powers would also limit the ability of companies to develop stronger security and encryption. They could be forced to run future development plans past the Government.
Under the IP Act, TCNs may be challenged on technical grounds, to an Advisory Board. They are also approved by Judicial Commissioners. However, the criteria for making a sound judgement of risk to all parties are not set out in the Act, nor the draft regulations; nor is there a clear route of appeal.
Notes to Editors
The consultation last four weeks, concluding on 19 May with responses to: firstname.lastname@example.org.
The consultation process is outlined at Section 253 of the IP Act 2016.