The Investigatory Powers Act, which was passed in late 2016, allows the UK government to demand communications providers to remove electronic protection applied to any communications or data. While the act does not place an outright ban on encryption, law enforcement agencies can request that companies hand over decrypted data. Therefore, since becoming law, the act has received considerable criticism. The EU court has even ruled that the legislation breached people's rights by collecting internet activity and letting public bodies grant themselves access with no suspicion of serious crime and no independent sign-off. A similar law is currently under review in Australia; however, legislators have been keen to avoid introducing weaknesses by using "backdoor" methods to access data.
It remains unclear whether end-to-end encryption is effectively outlawed by the Investigatory Powers Act
The Investigatory Powers Act creates powers for UK intelligence agencies and law enforcement for targeted, bulk interception and collection of communications. Communications service providers are required to retain UK internet users' internet connection records for one year, allowing police and intelligence officers to see these records. Communications service providers must also permit law enforcement agencies to carry out targeted equipment interference, and must be able to remove any encryption applied to data.
Since becoming law, concerns around the balance between privacy and security have been raised, especially regarding the ability of the UK government to undermine encryption and demand "backdoor" surveillance. Tech companies have pushed to have a rigorous oversight regime in place to support this, and have raised concerns over the costs involved in compliance. A particularly contentious issue is the obligation for communications providers to let the government know in advance of any new services being deployed and allow the government to demand technical changes to software and systems. Critics such as Apple have outlined that introducing a "back door" to encrypted services for security services to use would make them more vulnerable to interception by criminals and would therefore diminish network security. Additionally, putting restrictions on encryption could make companies that use encryption less willing to do business in the UK.
While the act does not explicitly outlaw end-to-end encryption, given that a provider that does not hold encryption keys (e.g., WhatsApp) would not be able to hand over decrypted data, the provider would be falling outside the law and could receive a technical capability notice. Technical capability notices are issued to impose obligations on an operator to ensure that it is capable of providing assistance should it receive an interception warrant. These notices could therefore be used to force companies not to use end-to-end encryption. However, the UK government has never explicitly stated this. One messaging provider, WhatsApp, has stated that it remains committed to end-to-end encryption in the UK and has no plans to change this stance.
In January 2018, the EU appeal court upheld an earlier ruling by the Court of Justice of the European Union, which declared that the Data Retention and Investigatory Powers Act (DRIPA) – which expired in 2016 and was replaced by the Investigatory Powers Act – was incompatible with EU lawafter a crowdfunded legal challenge by human rights group Liberty. It was claimed that the act violates the public's right to privacy by allowing the storage of, and access to, internet data. Those same sections were translated into the Investigatory Powers Act and so need to be rewritten to comply with EU law.
The government has accepted that the act was inconsistent with EU law because access to retained data was not limited to the purpose of combating serious crime and was not subject to prior review by a court or other independent body. The Home Office announced a series of new safeguards in 2017 in anticipation of the ruling, which include removing the power of self-authorization for senior police officers and requiring approval for requests for confidential communications data to be granted by the investigatory powers commissioner. However, law enforcement agencies will retain the ability to require operators to remove encryption following prior independent approval to prevent crime.
The UK is not alone in the battle between privacy and security. In June 2018, the Australian government drafted similar legislation that would force companies to cooperate with security agencies seeking access to encrypted data. However, ministers have said that the legislation will avoid introducing weaknesses using "backdoor" methods to access data. Instead, there are plans to legislate for alternative access to data, most likely a "front door" method – a means of accessing the information before it is encrypted. Currently, tech companies are voluntarily handing over encrypted data when requested by law enforcement. In 2H17, Apple received 2,601 requests for access to devices from Australian law enforcement agencies and granted them in 87% of cases. In August 2018, a meeting between nations in the Five Eyes pact, an intelligence sharing agreement between the US, the UK, Canada, Australia, and New Zealand, led to a joint statement being released that calls on tech companies to voluntarily build back doors into their encrypted products. This issue seems to be gaining momentum, as governments begin to view encryption as an impediment to law enforcement.
UK (Country Regulation Overview), GLB005-000029 (March 2018)
"The UK's Investigatory Powers Bill may yet be struck down,"TE0007-001094 (November 2016)
Sarah McBride, Analyst, Regulation