No Backdoors But UK Government Still Wants Encryption Decrypted On Request…

Yesterday the U.K. Home Secretary, Theresa May, spent two hours giving evidence to a joint select committee tasked with scrutinizing proposed new surveillance legislation.

The draft Investigatory Powers Bill, covering the operation of surveillance capabilities deployed by domestic security and law enforcement agencies, is currently before parliament — with the government aiming to legislate by the end of this year.

During the committee session May was asked to clarify the implications of the draft bill’s wording for encryption. Various concerns have been raised about this — not least because it includes a clause that communications providers might be required to “remove electronic protection of data”.

Does this mean the government wants backdoors inserted into services or the handing over of encryption keys, May was asked by the committee. No, she replied: “We are not saying to them that government wants keys to their encryption — no, absolutely not.”

Encryption that can be decrypted on request

However the clarity the committee was seeking on the encryption point failed to materialize, as May reiterated the government’s position that the expectation will be that a lawfully served warrant will result in unencrypted data being handed over by the company served with the warrant.

“Where we are lawfully serving a warrant on a provider so that they are required to provide certain information to the authorities, and that warrant has been gone through the proper authorization process — so it’s entirely lawful — the company should take reasonable steps to ensure that they are able to comply with the warrant that has been served on them. That is the position today and it will be the position tomorrow under the legislation,” said May.

“As a government we believe encryption is important. It is important that data can be kept safe and secure. We are not proposing in this bill to make any changes in relation to the issue of encryption. And the legal position around that. The current legal position in respect of encryption will be repeated in the legislation of the bill. The only difference will be that the current legal position is set out in secondary legislation and it will be, obviously, in the bill,” she added.

Theresa May

May was pressed specifically on the implications of the legislation for end-to-end encryption. Her comments on this point provide little reassurance that the government either appreciates the technical nuance involved (i.e. that properly implemented end-to-end encryption would mean a company is unable to decrypt data itself, and therefore unable to comply with such an expectation), or is not intentionally seeking to undermine — or at very least obfuscate — the legal position around end-to-end encryption.

In the instance where a company that has implemented end-to-end encryption tells the authorities it is unable to provide data, what will the bill’s reference to removing electronic protection mean in practice, May was asked?

When a warrant is lawfully served on them there is an expectation that they will be able to take reasonable steps to ensure that they can comply with that warrant.

“What we are saying to companies… is that when a warrant is lawfully served on them there is an expectation that they will be able to take reasonable steps to ensure that they can comply with that warrant. i.e. that they can provide the information that is being requested under that lawful warrant in a form which is legible for the authorities,” she repeated.

The weight of the bill’s requirement, as it stands, appears to rest on what is meant by the phrase “reasonable steps”. And whether removing end-to-end encryption would be considered a reasonably required step by the law. It’s unclear at this stage what the law will consider reasonable, and the lack of clarity on this point appears intentional — as a way for the government to side-step the issue of end-to-end encryption without explicitly stating whether the technology effectively offers a workaround to the legislation or not.

And indeed, in other answers to the committee, May revealed that other instances of ‘untightened’ language in the bill are intentional — in order for the legislation to provide “flexibility”, as she put it. Such as to allow definitions to be broad enough to accommodate advances in technology, for example.

Clarity vs flexibility

“It’s a balance between trying to ensure that legislation is so drafted that it is clear for people but that it isn’t so drafted that it actually mean that it will only have a very, very limited life — precisely because definitions will move on and there will be developments,” she said.

At another point in the session, the lack of clarity about exactly what bulk datasets are — and the Home Office’s ongoing refusal to provide the committee with a list of these (their public existence was only revealed last March) — is also apparently intentional, with May again using the word flexibility when asked about these.

Here she seemed to mean affording agencies the wiggle-room of operational secrecy necessary not to tip off criminals about the sorts of lists they might be looking at. (Although she gave one example of a bulk dataset being a list of people with firearms licences.)

During the session, she also rejected general criticism that the bill’s language is uncertain, arguing that the definition of the so-called Internet Connection Records (ICRs) — i.e the requirement that ISPs and other communications service providers (CSPs) log a list of websites visited by every user for a full year — has, for example, been tightened up.

But asked by the committee to give her own definition of what an ICR is — “in terms that might be understandable by a layperson” — she offered only “an equivalence” explanation, describing it as: “When you have somebody who is accessing a particular site… or is using the Internet for a particular communication, you wish to be able to identify that. You’re not trying to find out whether they have looked at certain pages of a website, which is where I think the confusion may arise because of what people felt was in the draft Communications Data Bill.

“It is simply about that access to a particular site or the use of the Internet for a communication,” she added.

May rejected the suggestion put to her by the committee that a sunset clause or regular review might be an appropriate way to ensure expansive investigatory powers do not shift, over time, to become disproportionate — arguing specifically that CSPs need the certainty that a non-bookended bill provides if they are to put in place infrastructure to enable the collection of ICRs.

Internet connection records 

May fielded a lot of questions about ICRs, including whether they might not result in producing far too much data of limited utility, as well as on the costs of implementing them, the security challenges of storing so much sensitive data, and the technical feasibility of being able to capture the sort of data the agencies are after via this method.

“The confidence we have [on technical feasibility] comes from the discussions that we’ve been having with [communications service providers],” she said. “We have had numerous discussions with them about how access to ICRs may be achieved.

“The discussions we’ve had with them have been about some of these technical issues — about access. And obviously there are different ways in which different providers approach the way they operate but we are confident from those discussions that it will be technically feasible for us to be able to ensure that there is access to the information that’s necessary.”

On the costs point, May said the previously mentioned £247 million figure to reimburse ISPs/CSPs’ costs for retaining and storing ICR data is “indicative” — adding: “We are obviously still in discussion with individual CSPs about the ways in which these capabilities would be provided.”

The committee noted it had previously heard from multiple CSPs expressing doubts that the £247 million figure would cover the costs of implementing ICRs across multiple providers. And the Home Secretary was challenged on whether there would be “sufficient resource” to meet the requirements the bill proposes to place on CSPs.

She agreed to provide the committee with “further indications” of technical feasibility and costs.  “We do provide reasonable cost recovery,” she added. “That’s been a long-standing policy of the U.K. government where we are requiring these companies to do things in order to have this sort of access.”

She also agreed to provide the committee with additional operational examples of why ICRs are necessary as an investigatory power.

On the point about the usefulness of ICR data itself, May was asked to respond to other evidence heard by the committee that, for example, smartphones being constantly connected to the Internet will mean that collecting a list of connected services would offer only a very muddy intelligence signal.

Do you see a danger that you’ll just collect a vast amount of data of limited utility in the end, she was asked? May said the government’s aim is to have “a more targeted approach” to handle “this issue of volume of data”, going on to argue that recording individual connections/sessions will not generate an unmanageable volume of data.

“I don’t think there’s going to be that volume of data in the much more targeted approach we will take,” said May, contrasting the IP bill ICR proposals with a prior attempt, in Denmark, to mandate telcos store data on users.

“We will have a more targeted approach. Which I think we believe will reduce that overall volume of data recorded and reduce the risk that connections are missed,” she said, adding: “I’m reliably informed that the Danish implementation was based around sampling every 500th packet, rather than recording individual Internet connections or sessions. Which is what we propose to do.”

On the issue of how the government would enforce requirements set out in the IP bill on overseas communications providers May said it is an issue the Home Office is looking at.

“There are certain aspects of this legislation where we are looking at extraterritoriality. But there are requirements that we will be issuing — obviously there will be data retention notices that will be issued to communications service providers in relation to requirement for them to hold data in a way that enables that to be accessible.”

“We do repeat the position that we put into DRIPA that has always been asserted by all governments in relation to the ability to exercise a warrant against a company that is offering services in the U.K. and abiding by the law of the U.K.,” she added later.

Judicial oversight as privacy safeguard 

On the overarching point about the risks to individuals’ privacy by sledgehammer measures that propose to monitor U.K. citizens in bulk, May say the safeguard against this is the double-lock mechanism that involves both judicial and minister review of warrants.

“The double lock authorization is there where there are processes which are intrusive into an individual,” she argued.

On the judicial component of the double-lock May was asked by the committee whether these judicial powers will be just narrow “process checks” or also allow for judges to also assess the necessity and proportionality of warrants. She said there will be scope for judges to scrutinize the merits of a warrant — not just do a process check — but said it will be open to judges to choose which type of approach they take on a case-by-case basis.

“One of the advantages that one has with judicial review principles is that it gives the judicial commissioners a degree of flexibility as to how they approach particular cases, depending on the impact on the individual of what it is is that they’re looking at. And so they will be able to make an assessment and a judgement as to how they wish to approach the evidence that is before them,” she said.

“The Secretary of State looks at necessity and proportionality of the warrantry. So it will be open to the senior high court judge to look at necessity and proportionality but they will be able, under the judicial review provisions, to have the flexibility to determine the way in which they look at that decision.”

“It will be up to the judge… to determine how they approach any particular issue,” she added. “There may well be circumstances in which they might apply a lighter touch approach to reviewing a Secretary of State’s decision. And others in which they will in fact look more at necessity and proportionality.

“The whole point of the double-lock authorization is that both parties have to agree to the warrant being applied. And if the judicial commissioner decides that the warrant should not be applied — having looked at it, and applied the tests that they need to apply — then obviously it can’t be operated.”

Bulk powers 

May was also probed on the bulk powers provisions in the bill, and challenged to respond to criticism that security analysts are in fact ‘drowning in too much data’ because of such mass harvesting processes — and that bulk collection is therefore counterproductive when it comes to helping national security.

She stridently rebutted the view that measures in the bill constitute mass surveillance — asserting: “We do not collect all the data, all of the time” — before going on to argue that “bulk collection” is necessary to ensure there is a “haystack” of data available to be filtered for intelligence in the first place.

“There are a variety of ways in which of course the agencies are careful and do look to target how they deal with data. But if the suggestion is that you cannot collect any bulk data whatsoever, or have access to any bulk datasets whatsoever, then you’re going to miss the opportunity,” she said.

“It would be wrong to give the impression that we are collecting all of the data all of the time… But bulk capabilities are important because you do need — if you’re going to be able to investigate a target — you need to be able to acquire the communications in the first place and when the target is overseas bulk interception obviously is one of the key means, and indeed it may be the only means, by which it’s possible to obtain communications.”

“It isn’t the case that it is always used in an untargeted way,” she added. “Of course when we look, when particular incidents have taken place, we look at the systems that are in place to ensure that we can make the way we operate as effective as possible. Because there’s a very fundamental reason to be able to have access to this information, to be able to deal with this information; it is about keeping people safe and secure.”

May was also pressed on when operational cases will be published for the various bulk powers set out in the bill — such as bulk equipment interference powers (aka mass hacking capabilities) — with the committee noting prior warnings by QC David Anderson, who conducted the government’s independent review of terrorism legislation last summer, that there’s a risk of the legislation being unpicked at the European level without robust justification being made for such capabilities.

On this point the Home Secretary agreed to write to the committee with further explanation of why the bulk powers are necessary.

She was also probed on whether the bill afforded agencies with the ability to apply for so-called thematic warrants — potentially covering “a very large number of people and therefore cannot be classed as targeted”. “The answer is no,” she said. “It will not be possible to use a thematic warrant against a very large group of people.”

“The purpose of the thematic warrant is for example circumstances in which perhaps there’s a kidnap, there’s perhaps a threat to life, and there’s only certain information available and it’s necessary because of the pace at which something is developing to be able to identify the group of people who are involved with that particular criminal activity as being within the thematic warrant,” she added.

Overseas data-sharing

May was also asked about concerns that security agencies might workaround the legal framework set out in the IP bill by obtaining information from other countries, or vice versa, with one committee member noting “there isn’t very much in the bill about these issues”  — and suggesting it could prove a sizable loophole for what is supposed to be a transparent legal framework for the operation of secretive state surveillance powers.

“We do look at the handling arrangements that are in place when we are sharing material with overseas partners. It’s clause 41 of the draft bill that sets out that before intercept material is shared with an overseas authority the issuing authority sharing the material must be satisfied that they’ve got appropriate handling arrangements in place to protect the material. Equivalent to those that apply under clause 40,” said May.

“There will be codes of practice [in the case of U.K. agencies receiving data shared by overseas countries],” she added. “We’ve been very clear that in terms of ensuring that where information is obtained it is done so against an appropriate legal framework. And that there are provisions in place that ensure that the agencies operate and only obtain information where it is lawful for them to do so.”

The questioner followed up by asking where do we find that legal framework — wondering whether it is down to a series of international treaties, some of which may not be in the public domain? May did not give a clear answer on this, saying only: “There are various aspects to the legal framework against which the agencies operate,” before suggesting she could again write to the committee to provide more information on this point.

The evidence session was the last one the committee will hear. It will now begin compiling its  recommendations — with a report due to be published by mid February.