Crypto Wars 2.0: Fear, Failure, and Feinstein
We already know that in some countries, like the UK, governments are drafting laws to legalise and legitimise their incredible surveillance powers. In the U.S. we are seeing legislation that is using remarkably similar language on encryption and surveillance. The next phase of the cryptowars has openly begun.
Yesterday what is being called the Feinstein-Burr decryption Bill was introduced into the US Senate and leaked online. Whilst the short title ‘Compliance with Court Orders Act of 2016’ doesn’t give much away, its clearly stated aim is ‘To require the provision of data in an intelligible format to a government pursuant to a court order and for other purposes’. Via twitter Law Professor @Elizabeth_joh highlighted provisions which will require those who handle communications data and provide encryption to be able to undo that encryption on demand:
(A) provide such information or data to such government in an intelligible format; or
(B) provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.
Around the world governments are striking back on encryption. (See our report on encryption policy around the world.) Sometimes they fail. For instance, India introduced a policy in September that it had to withdraw two days later because it wanted companies to keep decrypted copies of everything. Sometimes they succeed via the backdoor. France recently amended laws to increase fines against companies to refuse to decrypt to 15 000 euros and 5 years in jail, even though the previous power has never been used before.
Worryingly, sometimes they win in clear terms. Already UK law requires an individual to hand over encryption keys upon demand. New UK legislation being rushed through Parliament now allows the government to force decryption -- despite concerns about the lack of clarity in the Bill, raised by host of legal experts, opposition parties, and industry.
In joint submissions to Parliamentary committees reviewing the UK’s Investigatory Powers Bill, Apple Inc, Facebook Inc, Google Inc, Microsoft Corp, Twitter Inc and Yahoo Inc specifically stated that ‘Clarity on encryption is still required’ and ‘The Bill provides for the power to issue technical capability notices requiring, among other things, the removal of electronic protection where reasonably practicable.’ The companies want an explicit threshold: where a service is encrypted end-to-end, the Bill should recognise it will not be reasonably practicable to provide decrypted content.
The power is at Clause 217 of the UK Bill, but this is not an exhaustive list so further obligations related to encryption could be imposed, and as with the US Bill, such technical assistance as is necessary to obtain data.
The Draft Code of Practice on Interception of Communications, that was published with the UK Bill, expands on the power at Clause 217. Similar to the US Bill, it refers to ensuring that the content of communications can be provided to Intelligence Agencies in ‘intelligible form.’
Where the UK excels at being weak: Judicial oversight
The key difference between the two legal regimes is the reference in the UK to ‘Court Order’. What we lack in the UK Investigatory Powers Bill is independent judicial oversight. Even where there is judicial involvement in the Investigatory Powers Bill, this judicial review does not look at the merits and substance of an application, only whether the Secretary of State ticked the right boxes. Real and effective judicial oversight at a minimum is badly needed in many areas of the Bill, including in relation to Technical Capability Notices which provide broad discretionary powers to the Secretary of State, including requirement to notify the Government of new products and services in advance of their launch and creating their own products.
Security implications
What’s missing throughout all these debates is the significant risk to our security posed by these ideas. Even if one agrees in principle with the language used here, the implications for the safety and security of us all are profound. In order to be in a position to comply, the bills presuppose that a company will be able to retain access to the data of their users.
The new bar for security is end-to-end encrypted communications (and documents). This essentially precludes the service provider from reading your data. And with very good reason. Even with a security breach in the company or its servers, end-to-end secured data remains secure as only the users’ devices can unscramble the data. If passed, it is difficult to see how any company, in Britain, France, or the U.S. can offer the expected level of security to keep its users safe.
On both sides of the Atlantic privacy is at stake and just as the legislators collaborate, so should we in fighting back. The example set by these countries will set the gold standard for governments everywhere.