The UK's draft Investigatory Powers Bill

The United Kingdom's draft Investigatory Powers Bill is looking draconian. George Danezis from University College London has an excellent blog post detailing the most serious implications of the bill, particularly its gagging orders against disclosure of state surveillance.

Of particular interest on this blog is Section 190(8) and its references to "technical capability notices". These are obligations imposed on telcos "relating to the removal of electronic protection applied by a relevant operator to any communications or data". A more colloquial explanation is that it is a requirement to implement back doors into encrypted communications. A back door is a secret way to bypass the encryption and read the plain text of the communication undetected.

Government mandated back doors raise a number of issues that are discussed in detail by a group of security experts here. Increased system complexity is one likely result - it is not a simple task to implement back doors in the wide variety of systems that exist. It is also risky, as it would require access to encryption keys by government agencies. That introduces a security problem, as it concentrates keys in one place, making an extremely tempting target for hackers.

It is also doubtful whether mandated back doors in popular software applications will be of much use in combating terrorism, as there are many alternatives that can be used. And it is quite trivial for organised groups to roll their own encryption applications using toolkits such as OpenSSL.

Apart from the damage that mandating back doors will do to system complexity and innovation, the sting in the tail from the draft bill is that those given technical capability notices "must not disclose the existence and contents of the notice to any other person". So back doors must remain secret, under the threat of up to 12 months imprisonment. This means there can be no debate about back doors, or even an acknowledgement of their existence - and no exceptions.

What applications might be affected by such legislation? Both WhatsApp and Apple’s iMessage use end-to-end encryption, and are very widely used. This makes them obvious targets.

The draft bill will be debated and consulted upon in the coming weeks, and will be formally introduced to parliament some time in the New Year.

Posted by John Faulds in