The UK government has been hit by fresh criticism surrounding its recently announced legislation surrounding online surveillance.
The legislation itself has been sold by the UK government as being less intrusive than a similar bill in 2011. However, a closer look at the draft bill suggests that although broadly speaking it is, the finer points within it could potentially have even further reaching consequences.
In fact, the draft legislation has been been criticized by Tim Cook, Apple’s CEO, in a rare comment on a country’s policies - ‘if you halt or weaken encryption, the people that you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go’.
His major issues with the provisions that the government have written into the legislation are that they can force companies to:
- Provide assistance to the government to hack their own users
- Be mandated to open their networks up to bulk interception of data
- Be required to modify their technologies to make the interception of data easier, even to the extent of removing “electronic protections” applied to them
What these essentially mean is that the bond of trust that technology companies have with their customers must be broken by law. Even if somebody doesn’t know that they are having their communications looked at, there is the potential that the government could have asked for it and the company would have to agree. This is mainly targeted at the end-to-end encryption of services like iMessage, Facebook messenger and WhatsApp.
It is essentially writing into law the very core of what the Edward Snowden leaks revealed governments to be doing and potentially making it even easier for governments to do it. Rather than needing to find their own back doors into a company’s system, the company would in theory need to give access or face jail.
However, this is not to say that this legislation would be easy to implement, especially amongst the largest tech companies.
One of the main points of contention in the bill is that they refer to these tech companies as ‘Public Telecommunications Providers’ of which most of the large tech companies do not classify themselves. This leaves the government open to court challenges again carrying out any orders, potentially holding up the process for an indefinite amount of time.
Another aspect that could be to the advantage of these companies is that the end-to-end encryption removal needs to be ‘reasonably practicable’. Often entire systems are built around the premise of this security, so it would not be difficult to argue that this removal would fall well outside of what would be practicable.
The punishment for not complying with these orders will be fines and potential imprisonment. The bigger question is whether the leaders of these tech companies will see that as a worse punishment than betraying the trust put in them by their customers.