UK Home Secretary Amber Rudd Already Has Sweeping Powers To Attack Encryption
By Jim Killock – OpenRightsGroup: Amber Rudd has engaged in another attack on people’s security by suggesting that companies must be able to ‘remove’ encryption.
The striking thing is that if she was genuinely serious about her suggestion, she would not be making public demands; she would be signing legal orders to force companies to change their products. She would not be telling us about this.
Last year, the UK Government passed the Investigatory Powers Act, which gives British law enforcement and intelligence agencies vast surveillance powers.
These powers already purport to grant the minister the ability to issue a “Technical Capability Notice” with which Amber Rudd could instruct WhatsApp to re-engineer their product to be surveillance-friendly.
Get Briefed, Get Weekly Intelligence Reports - Essential Weekend Reading - Safe Subscribe
The TCN could, for instance, instruct WhatsApp to enable an invisible “third recipient” in the case of targeted individuals. Thus, even without asking providers to remove or weaken encryption, the UK believes it has found a way to legally compel companies to provide information from supposedly secure products.
There are enormous problems with TCNs. They can be “appealed” to a technical committee but it is unclear how well the process will ever deal with wider security concerns, or risks to the companies or their users. The process seems focused on ‘feasibility’ rather than whether introducing weaknesses is a good idea.
Fundamentally, anything which enables GCHQ to listen in could be available to someone else, whether another government, or perhaps a criminal who learns how to abuse the weakness.
These notices are not subject to any public guidance about their use. Unlike interception of communications, equipment interference (hacking), bulk communications data acquisition (mass surveillance), bulk personal datasets (everything government knows about you) and National Security Notices (orders to act), which have public codes of practice and the Home Office claims to be “consulting on” there is no obligation for a Code of Practice on TCNs which might give some insight into how these issues might be balanced.
Those codes that have been published for consultation contain 415 pages of dense detail, a mere 15 paragraphs of explanatory information, while the public, lawyers and business have been given a mere six weeks to work out what they mean.
As you can imagine, the powers outlined the codes for interception of communications, equipment interference and bulk communications data acquisition will grant Ms Rudd many avenues to surveil the likes of Adrian Elms.
We should use Amber Rudd’s cheap rhetoric as a launch pad to ask ourselves why she has such sweeping powers, and what the constraints really amount to.