LONDON — The U.K. already has some of the most far-reaching surveillance laws in the democratic world. Now it’s rushing to beef them up even further — and tech firms are spooked.
Britain’s government wants to build on its landmark Investigatory Powers Act, a controversial piece of legislation dubbed the “snooper’s charter” by critics when introduced back in 2016.
That law — introduced in the wake of whistleblower Edward Snowden’s revelations of mass state surveillance — attempted to introduce more accountability into the U.K. intelligence agencies’ sprawling snooping regime by formalizing wide-ranging powers to intercept emails, texts, web history and more.
Now new legislation is triggering a fresh outcry among both industry execs and privacy campaigners — who say it could hobble efforts to protect user privacy.
Industry body TechUK has written to Home Secretary James Cleverly airing its complaints. The group’s letter warns that the Investigatory Powers (Amendment) Bill threatens technological innovation; undermines the sovereignty of other nations; and could unleash dire consequences if it sets off a domino effect overseas.
Tech companies are most concerned by a change that would allow the Home Office to issue notices preventing them from making technical updates that might impede information-sharing with U.K. intelligence agencies.
TechUK argues that, combined with pre-existing powers, the changes would “grant a de facto power to indefinitely veto companies from making changes to their products and services offered in the U.K.”
“Using this power, the government could prevent the implementation of new end-to-end encryption, or stop developers from patching vulnerabilities in code that the government or their partners would like to exploit,” Meredith Whittaker, president of secure messaging app Signal, told POLITICO when the bill was first unveiled.
The Home Office, Britain’s interior ministry, remains adamant it’s a technical and procedural set of tweaks. Home Office Minister Andrew Sharpe said at the bill’s committee stage in the House of Lords that the law was “not going to … ban end-to-end encryption or introduce a veto power for the secretary of state … contrary to what some are incorrectly speculating.”
“We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption,” a government spokesperson said. “But this cannot come at a cost to public safety, and it is critical that decisions are taken by those with democratic accountability.”
Encryption threat
Despite the protestations of industry and campaigners, the British government is whisking the bill through parliament at breakneck speed — risking the ire of lawmakers.
Ministers have so far blocked efforts’ to refine the bill in the House of Lords, the U.K.’s upper chamber. But there are more opportunities to contest the legislation coming and industry is already making appeals to MPs in the hopes of paring it back in the House of Commons.
“We stress the critical need for adequate time to thoroughly discuss these changes, highlighting that rigorous scrutiny is essential given the international precedent they will set and their very serious impacts,” the TechUK letter states.
The backdrop to the row is the fraught debate on encryption that unfolded during the passage of the earlier Online Safety Act, which companies and campaigners argued could compel companies to break encryption in the name of online safety.
The bill ultimately said that the government can call for the implementation of this technology when it’s “technically feasible” and simultaneously preserves privacy.
Apple, WhatsApp and Signal have threatened to pull their services from the U.K. if asked to undermine encryption under U.K. laws.
Since the Online Safety Act passed in November, Meta announced that it had begun its rollout of end-to-end encryption on its Messenger service.
In response, Cleverly issued a statement saying he was “disappointed” that the company had gone ahead with the move despite repeated government warnings that it would make identifying child abusers on the platform more difficult.
Critics see a pincer movement. “Taken together, it appears that the Online Safety Bill’s Clause 122 is intended to undermine existing encryption, while the updates to the IPA are intended to block further rollouts of encryption,” said Whittaker.
Beyond encryption
In addition to the notice regime, rights campaigners are worried that the bill allows for the more permissive use of bulk data where there are “low or no” expectations of privacy, for wide-ranging purposes including training AI models.
Lib Dem peer Christopher Fox argued in the House of Lords that this “creates an essentially new and essentially undefined category of information” which marks “a departure from existing privacy law,” notably the Data Protection Act.
Director of campaign group Big Brother Watch, Silkie Carlo, also has issues with the newly invented category. With CCTV footage or social media posts for example, people may not have an expectation of privacy, “[but] that’s not the point, the point is that that data taken together and processed in a certain way, can be incredibly intrusive.”
Big Brother Watch is also concerned about how the bill deals with internet connection records — i.e. web logs for individuals for the last 12 months. These can currently be obtained by agencies when specific criteria is known, like the person of interest’s identity. Changes to the bill would broaden this for the purpose of “target discovery,” which Big Brother Watch characterizes as “generalized surveillance.”
Members of the House of Lords are also worried about the bill’s proposal to expand the number of people who can sanction spying on parliamentarians themselves. Right now, this requires the PM’s sign-off, but under the bill, the PM would be able to designate deputies for when he is not “available.” The change was inspired by the period in which former PM Boris Johnson was incapacitated with COVID-19.
“The purpose of this bill is to give the intelligence agencies a bit of extra agility at the margins, where the existing Rolls Royce regime is proving a bit clunky and bureaucratic,” argues David Anderson, crossbench peer and author of a review that served as a blueprint for the bill. “If you start throwing in too many safeguards, you will negate that purpose, and you will not solve the problem that bill is addressing.”
Anderson proposed the changes relating to spying on MPs and peers are necessary “if the prime minister has got COVID, or if they’re in a foreign country where they have no access to secure communications.”
This could even apply in cases where there’s a conflict of interest because spies want to snoop on the PM’s relatives or the PM himself, he added.
Amendments proposed by peers at the committee stage were uniformly rejected by the government.
The bill will return to the House of Lords for the next stage of the legislative process on January 23, before heading to the House of Commons to be debated by MPs.
“Our overarching concern is that the significance of the proposed changes to the notices regime are presented by the Home Office as minor adjustments and as such are being downplayed,” reads the TechUK letter.
“What we’re seeing across these different bills is a continual edging further towards … turning private tech companies into arms of a surveillance state,” says Carlo.