Tech firms: Investigatory Powers review will undermine privacy of UK citizens

Government has “understated” impact of new powers

Ministers say the Bill will ensure intelligence and security agencies keep pace with developments in technology, and will introduce only “targeted and modest” amendments to the existing legislation.

But an unpublished briefing paper sent by TechUK to the Home Office in December 2023 argues that the government has “understated” the impact of the proposed changes to the Investigatory Powers Act.

Ministers argue that the changes to the Investigatory Powers Act are “not about expanding the powers but about maintaining them”.

But TechUK disputes this in the briefing paper sent to Cleverly. “We believe that this statement does not reflect the true significance of the changes that are being introduced,” it says.

The government, it claims, is presenting changes to the surveillance regime as “minor adjustments” when in fact they could impact the privacy and security of the internet.

“While the Bill states it aims to provide small technical improvements, the true impact of these could be far greater,” it suggests. “Some of the changes in the Bill have the potential to be very far-reaching.”

Notifications

Tech companies have raised particular concerns about amendments to the Investigatory Powers Act that require telecoms companies that provide surveillance capabilities to government to notify them in advance of changes they make to their systems that could impact government spying capabilities.

The Home Office argues the move will not prevent tech companies from making technical changes or rolling out new services, and that there is no intention to use the Investigatory Powers Act to prevent companies rolling out security patches.

But according to the TechUK briefing, when combined with other powers in the Investigatory Powers Act, this would amount to a de facto power for the government to “prevent companies from making changes to their services that are in the interests of their customers”.

Under the proposals, once notified of a planned change, the Home Office could issue an enforcement notice that, if approved, would require the tech company to make changes to its products.

Companies have the right to appeal through a potentially long-winded review process, but are legally prevented from making any changes until the review has been complete.

The government has given no indication how long the review, which requires assessment by a judicial commissioner and a board of technology and industry experts, will take.

“This risks creating concerns over government invasion of user privacy and making it difficult for some companies to continue to innovate their services for their users globally, including enhancing privacy, integrity and security through technologies like end-to-end encryption,” the briefing said.

Encryption could be impacted

Technologists told Computer Weekly there were concerns the proposed changes to the UK surveillance regime would enable the Home Office to restrict the use of encrypted communications services.

Intelligence agencies and the Home Office have long been campaigning to persuade technology companies, such as Signal, WhatsApp and Facebook, to provide law enforcement and intelligence agencies with back-door access to encrypted services to detect child sexual abuse and terrorism.

The Online Safety Bill, passed in October 2023, gives Ofcom powers to require tech companies to install “accredited technology” to scan encrypted messages for illegal content, in a move that specialists say would deter companies from offering encrypted services in the UK.

The amendments to the Investigatory Powers Bill appear to go further. Matthew Hodgson, CEO of Element and technical cofounder at Matrix.org, which supplies encrypted messaging services, told Computer Weekly the government’s proposals could “crush” small companies that offer encrypted services.

“The idea that UK companies need permission from the government to deploy security measures is impractical, and frankly chilling,” he said. “End-to-end-encryption has been highlighted as a technology the government must approve before a company can use it – effectively implementing a ban on future use of E2EE as if its use reduces consumer safety, when in reality it does the opposite.”

Ross Anderson, professor of security engineering at the University of Cambridge Computer Laboratory, told Computer Weekly that if tech companies had to ask the UK government for permission before releasing a product, they would simply release it elsewhere.

“Britain is much smaller than the EU, with only 1% of world population, and 3% of world GDP,” he said. “We’ll just end up missing out on stuff that people in the USA and elsewhere enjoy. Lots of firms have held back products in China rather than put up with Beijing’s demands for warrantless bulk surveillance.”

Extraterritoriality

TechUK has also raised concerns that the Investigatory Powers (Amendment) Act brings overseas tech companies under the ambit of the Investigatory Powers Act, if they are “involved” in providing telecoms to the UK.

The changes would require telecoms companies based outside the UK to comply with UK laws requiring them to supply communications data to the UK government.

The proposed changes “could infringe on the sovereignty of other nations – their rule of law – and users’ expectations in those countries not to be surveilled by foreign governments”, potentially allowing the UK to spy on non-UK citizens. “This unprecedented power could allow the UK government to require foreign companies to take actions that might conflict with their own national laws,” TechUK said in its open letter.

This amounted to a departure in the way the UK approaches extra-territorial application of its law, and would place private companies in “the untenable position of having to decide which country’s laws to comply with”, it said.

Taken overall, TechUK argues that the Investigatory Powers (Amendment) Bill could hinder technological innovations to improve consumer privacy and security, making the UK a less attractive place for investment.

“If other countries were to adopt similar legislative changes, this could pose a threat to UK businesses investing overseas by creating an uneven playing field and hindering their ability to compete in international markets, potentially harming the UK economy,” according to the open letter by Julian David.

The social media company, Meta, which was widely seen as the target of government legislative attempts to restrict encryption, announced plans to roll out end-to-end encryption on its Facebook messaging service and Instagram in December 2023, circumventing the Online Safety Act and the proposed amendments to the Investigatory Powers Act.

Government – secure coms cannot trump public safety

Ministers argue that they cannot outsource decisions on national security to “unaccountable multinational companies” or compromise the security of citizens “for commercial reasons”.

A Home Office spokesperson said that while the government was in favour of technological innovation and secure communications including encryption, that cannot be at the expense of public safety.

“We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption,” they said. “But this cannot come at a cost to public safety, and it is critical that decisions are taken by those with democratic accountability.”