UK government can force encryption removal, but fears losing, experts say
Investigatory Powers Act lets UK compel removal of electronic protection but it would face enforcement challenges and risk driving targets to other services
By Alex Hern
Mar 29 2017
The government already has the power to force technology firms to act as it wants over end-to-end encryption, but is avoiding using existing legislation as it would force it into a battle it would eventually lose, security experts have said.
The Investigatory Powers Act, made law in late 2016, allows the government to compel communications providers to remove “electronic protection applied … to any communications or data”.
On Sunday the Home Secretary Amber Rudd called on “organisations like WhatsApp”, which is owned by Facebook, to make sure that they “don’t provide a secret place for terrorists to communicate with each other”. Rudd hinted at new legislation if they did not cooperate, despite the existing legislation already allowing the government to force such cooperation.
Alec Muffett, who is a technical advisor and board member for the Open Rights Group, said that using the existing legislation would lead the government into an argument it will lose “though they may buy some time forcing people to pay lip-service to it”.
“Eventually they will lose the battle because they will never (for instance) coerce the global open-source community to comply,” Muffett said. “Government time and money would be better spent elsewhere – pursuing criminals through ‘human’ means and by building upon metadata – than in attempting to combat ‘secure communication across the internet’ as an abstract entity.”
Muffett, who previously worked at Facebook and was the lead engineer for adding end-to-end Encryption to Facebook Messenger, added that actually attempting to enforce the law as it stands would require “a massively illiberal and misconceived business case … to be thrust upon Facebook/WhatsApp in order to force it to undermine its own security technologies”.
“It would be an ugly battle, and (win or lose) it would be self-defeating,” Muffett said. “People would flee a less secure, less competitive Facebook and move to other platforms – ones with less cordial government relationships, or with no corporate presence at all.”
Antony Walker, the deputy CEO of techUK, added that the existing law already gives the UK a strong range of powers “that enable the security services to do their job”. He said: “This legislation was put in place following an extensive and rigorous process of parliamentary scrutiny focused on ensuring the checks necessary to keep a democratic society secure.