Around 30 cybersecurity experts, cryptographers and academics have written to Home Secretary James Cleverley, urging the government to reconsider proposed changes to the UK's surveillance laws to fix security vulnerabilities in computer systems. It warns that there will be significant “bureaucratic hurdles” in doing so.
Proposed changes to the 2016 Investigatory Powers Act (IPA), also known as the Snooper Charter, will exacerbate the “unprecedented and growing cybercrime threat” for internet users around the world, particularly in the UK, the group said in a paper. ing. Open letter.
The letter also states that measures proposed in the Investigatory Powers (Amendment) Bill, currently moving through Parliament, would prevent or delay the introduction of end-to-end encryption by tech companies into their messaging and email services. They have also raised concerns that it could be used for
Signatories who signed in their personal capacities include Philip Zimmerman, developer of PGP encryption software. John Karas, co-founder of PGP and former senior scientist at Apple. Tara Wheeler is a senior fellow for global cyber policy at the Council on Foreign Relations (CFR), a Washington-based think tank.
Other signatories include Marwan Fayed, a visiting professor and research director at the technology company Cloudfare Research, and Mallory Knodel, a principal engineer at the Center for Democracy and Technology and a member of the Internet Architecture Committee.
notification system
At issue are two proposed amendments to the Investigatory Powers Act. The first is the introduction of “notification notices,” which require technology companies to notify governments before making technical changes to their services that could affect existing arrangements for providing lawful access to government agencies. required to notify.
The second requirement would prevent technology companies from making changes to their systems if they appeal a government notice until the appeal is reviewed.
Open letters from cybersecurity experts, cryptographers, and academics
Security experts say these measures, taken together, could significantly delay companies' ability to update their systems to address new security threats.
“If enacted, these proposals would introduce bureaucratic hurdles that slow the development and deployment of security updates, with dire consequences for the security of UK service users,” the letter said.
“This would create a situation where the UK government would effectively dictate how technology is built and maintained, seriously undermining user trust in the safety and security of services and products,” it added.
The open letter says cybercrime will cost consumers and businesses £8.4 trillion a year by 2025. The ministry cited Ministry of Science, Innovation and Technology figures of 26% for medium-sized enterprises and 37% for large enterprises from April 2023 onwards. Over the past 12 months, businesses have been the victims of cybercrime.
“These proposals would weaken security protections, not just for UK operators but for all users around the world, by impeding the ability of operators to quickly deploy software updates to patch vulnerabilities. , would exacerbate these risks,” the letter states.
The Investigatory Powers (Amendment) Bill does not indicate how long it will take for the government to complete its review of challenges from technology companies that have received notices to change their systems.
Threats to encryption
A government spokesperson told Computer Weekly that there is no intention to use the Investigatory Powers Act to force technology companies to weaken their end-to-end encryption services.
However, governments have also issued statements in recent years calling on technology companies to provide law enforcement with access to encrypted communications, leading to what cryptographers say is “breaking encryption.'' “It will be,” he claims.
The letter said the proposed “notice and freeze” amendments to the Investigatory Powers Act would give the UK government the power to ban or block product updates that introduce end-to-end encryption by default.
Combined with other measures such as the Online Safety Act, which gives regulator Ofcom the power to require technology companies to scan encrypted messages for child abuse content, security experts say the new powers will He said it could be used to block or weaken end-end encryption. .
For example, Section 253, Part 5(c) of the Investigatory Powers Act authorizes the government to issue technical competency notices to remove or change the “electronic protections” that high-tech companies have applied to communications data. Masu.
“Cryptographers and security and privacy experts believe that IPA notification authorities are being used to force operators to build backdoors or prevent operators from adopting decryption by default in their services. “We have long been concerned about the potential for this to occur,” the letter states.
The signatories said they were “deeply concerned” that the proposals were “against the best interests of the British public, businesses and internet users around the world”.
Meta encryption plans may be targeted
Mallory Nordell, chief technology engineer at the Center for Democratic Technology, one of the signatories to the letter, said that if the proposed changes to the Investigatory Powers Act become law, ministers could use them to freeze plans in the technology sector. He said there were concerns that it would be delayed. Enterprises deploy end-to-end encryption.
Meta has been repeatedly criticized by governments, including the UK, over its decision to introduce end-to-end encryption for its Facebook, Messenger and Instagram services.
In April 2023, a virtual global task force of 15 law enforcement agencies, including the FBI and the UK's National Crime Agency, concluded that Meta's encryption implementation plan was a “deliberate design choice” that weakened its ability to keep children safe. ” was criticized.
In September 2023, then Home Secretary Suela Braverman challenged Meta to either introduce technology to keep children safe online or abandon its end-to-end encryption plans altogether. .
Knodel told Computer Weekly: “You don't make a strong statement like that and then take no action when the law requires something to be done.”
Other technology companies are understood to be waiting to see how the UK reacts to Meta before speaking publicly about their encryption plans.
These include companies like X, Discord, and Slack, which are facing pressure from civil society groups to secure their services with end-to-end encryption.
“We are urging companies to adopt end-to-end encryption sooner rather than later, and that is why no regime, democratic or otherwise, will use policymaking to undermine that technology. If you want to do that, you have to climb a very steep mountain,” Knodel said. .
de facto power
The open letter follows intervention from tech industry body TechUK, which represents 1,000 technology companies. On 30 January 2023, it warned that amendments to the IPA could give the UK government de facto powers to refuse companies from making changes to their products and services in the UK and other countries.
“Instead of focusing on improving user privacy and security, companies will have to divert their attention to meeting government surveillance needs. This is especially true in a world where threats to user data security continue to grow. This is concerning,” TechUK said in a statement.
Home Office – No plans to restrict security patches
The Home Office insists it does not intend to subject security patches to the Notification requirements of the Investigatory Powers Act and that it will never stop applying security patches to its systems.
A government spokesperson said: “The government's first job is to protect the security of the country. Investigatory powers are an essential tool to protect the public and have existed since the 1980s.
“We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption. However, this cannot come at the expense of public safety. It is important that decisions are made by people with democratic accountability.”
The Investigatory Powers (Amendment) Bill is awaiting second reading in the House of Commons.