investigatory powers act blog

Watch, Wait and Pray: The Potential Impact of Updates to the Investigatory Powers Act

When it comes to technology regulation, the British government seems to be lurching from one controversy to another. Fresh from a battle with Big Tech over end-to-end encryption (E2EE) in its highly contentious Online Safety Bill, the government is now turning its attention to proposed updates to the Investigatory Powers Act (IPA).

If put into force in their current form, the proposals could turn the UK into a Wild West for cyber threats and exploitation and may force countless technology providers to pull their services from the market, leaving users stuck with insecure and ineffective communications tools.

What’s New In The IPA?

The IPA was widely known as the “Snooper’s Charter” for a very good reason. Among its most controversial provisions is to allow the government to demand tech communication providers alter their services to enable government snooping in a way which might undermine security for all. A Technical Capability Notice (TCN) is the primary means of doing so. It could theoretically require “removal by a relevant operator of electronic protection” as long as the government can prove that this would be proportionate to its end goal. As such requests are secret, we can only imagine that none have succeeded thus far, as the tech companies involved would most likely have reacted by threatening to exit the market.

There are several objectives listed as part of the proposed IPA updates. But two could be particularly problematic for UK business:

Objective 3

broadens the IPA’s existing extraterritorial coverage, forcing global tech companies to stick to the government’s rules in every country they operate in. The reason given is to resolve any potential “uncertainty” for the government in issuing TCNs to firms with “complex corporate structures”. The objective also proposes to “strengthen the enforcement options available for non-compliance with the notices regimes” alongside this objective.

Objective 4

adds an obligation for “operators” to “inform the Secretary of State of relevant changes, including technical changes,” and to do so “a reasonable time before relevant changes are implemented”. Such changes are not specified but could be taken to mean any new security feature introduced by a technology provider or even security updates that fix vulnerabilities. Theoretically, the Secretary of State could block such changes, which would impact all end users of messaging services and communications devices.

What A New IPA Could Lead To

Privacy and security advocates are understandably shocked by the proposals. And Apple has already said it will remove services like iMessage and FaceTime from the UK if they are implemented. There are several obvious reasons why not just tech firms but also businesses and consumers would oppose a new IPA:

Objective 3 Would:

  • Potentially undermine security for journalists, dissidents and others in various parts of the world who are reliant on secure communications to evade the attention of autocratic governments.
  • Put tech firms in an impossible place: forced to comply with new requirements from the UK government, which may actually break international human rights laws and contradict the rules laid down in legislation like the GDPR, which puts security by design at its heart.

 

“The proposed obligation to inform HMG before any technical changes are made has incensed several of the tech vendors, big and small. I really don’t know why the government is suggesting it as they must know the reaction it was going to cause,” Surrey University’s Professor Alan Woodward tells ISMS.online.

“The bottom line is that if the government tries to force it, the tech companies affected will refuse to comply. And if that requires pulling out of the UK, they will do exactly that. It seems extraordinarily naive that the government would imagine our laws would override the laws of other jurisdictions – particularly the jurisdiction where the vendor is based.”

Objective 4 Might Lead To:

  • The UK government deliberately blocking or delaying security updates so its spies can exploit underlying vulnerabilities for surveillance purposes.
  • Patches taking longer to release or being held back indefinitely allowing threat actors ample time to research exploits.
  • Threat actors targeting government systems for information about pending vendor patches

 

“Delaying security updates is always bad because even if you have no evidence that a vulnerability is being exploited, the fact the vendor found it means someone else may have done so. And every minute you delay is extra time for them to exploit it,” Woodward continues.

“It’s difficult not to conclude that the government wants to know about such changes in advance in case it affects a vulnerability it is already exploiting for surveillance.”

How Likely Is It?

The public consultation period on what the government describes as the “revised notices regimes” in the IPA 2016 has now closed. Therefore, nothing has been decided yet, and there are several reasons why the most controversial proposals may not make it into the final revisions.

As Privacy International argues, objectives 3 and 4 could jointly see the UK breach international human rights law—particularly the right to respect for private life enshrined in Article 8 of the European Convention on Human Rights (ECHR). That’s because, by preventing a comms service provider from applying security updates or advanced protection like E2EE, the government would be denying that right not just to the UK but to global citizens. It’s challenging to think of a case when authorising these powers would be “necessary and proportionate”, as the ECHR requires.

“In the evolving landscape of digital rights and security, these proposed changes underscore the imperative need for governments to strike an appropriate balance between national security and individual rights,” Privacy International argues. “As it revises domestic surveillance laws, the United Kingdom should recommit to its obligations under international law to safeguard individual rights at home and abroad.”

The second reason is more nakedly commercial. If the government had its way and these proposals were enacted, the digital world would become significantly less secure. But tech providers simply won’t let this happen.

“Ultimately, market forces will determine how these companies react: they will not do something for a relatively small market like the UK when it might drive away customers in other large markets,” Woodward concludes.

A worst-case scenario for UK firms is that the proposals are enacted in some way only in the UK, leading tech firms to withdraw some of their most secure services from the country. That would likely turn a long-standing government pledge on its head and make Britain the least safe place to do business online in the world.

Streamline your workflow with our new Jira integration! Learn more here.