UK government accused of being misleading over new laws affecting encryption

The British government has been accused of being misleading about the significance of new proposed powers that would allow security officials to intervene if technology companies planned on introducing end-to-end encryption to their messaging services.

Under the Investigatory Powers (Amendment) Bill, officials in Westminster would be able to issue notices to tech companies on a global basis, forcing them to inform the government before making any product changes that could negatively impact their ability to comply with a warrant.

The Home Office has argued that the legislation is simply an amendment to the existing Investigatory Powers Act (2016) and that it is “not about expanding the powers but about maintaining them.”

However a briefing note seen by Recorded Future News and sent to parliamentarians by techUK — the trade association representing more than 1,000 businesses in Britain’s technology sector, including Apple and Meta — warns that the Home Office’s description of the bill “does not reflect the true significance of the changes that are being introduced.”

The contents of the briefing note, which was attached to a letter sent to the Home Secretary last month, have not previously been reported. The letter, which has been published on techUK’s website, warns that the “changes would in effect grant a de facto power to [the British government to] indefinitely veto companies from making changes to their products and services offered in the UK.”

The briefing note states: “Our overarching concern is that the significance of the proposed changes to the notices regime are presented by the Home Office as minor adjustments and as such are being downplayed.”

It calls for “adequate time to thoroughly discuss these changes, highlighting that rigorous scrutiny is essential given the international precedent they will set and their very significant impacts,” and warns of the risk that the particulars of the update to the notices regime will not be scrutinized as the government currently intends to specify them in secondary regulations, which are not voted on by lawmakers.

The tech industry’s criticisms are not the sole incident in which the Home Office has been accused of a lack of candor over this legislation. In his statutory report into the Investigatory Powers Act, House of Lords member David Anderson described the Home Office as having only “alluded … in the broadest of terms” to a change that would allow GCHQ to monitor internet logs in real-time to discover and disrupt attempts at online fraud.

Anderson, whose report did not cover the new legislation’s powers for the government to issue notices to tech companies, wrote: “It is all the more important, in these circumstances, that any proposed extra condition … should receive proper pre-legislative scrutiny.”

Despite Anderson’s call for proper scrutiny, the bill is currently racing through Parliament. It was introduced to the House of Lords in November and, after a two-day examination in December, will be voted on later this month before progressing to the House of Commons.

The accelerated timetable is likely to in part be driven by a general election in the United Kingdom this year, which shortens the amount of time available for legislation to be considered in this parliamentary session. The date of the election has not yet been set.

Crypto Wars ad nauseam

The new legislation follows a vituperative exchange between the government and the wider technology industry during the passing of the Online Safety Act, which contained a provision that could require end-to-end encrypted messaging platforms to use “accredited technology” to identify particular kinds of content.

Technology companies, including Apple and Meta, claimed the provision risked nullifying the protections they give users and would expose sensitive messages to interception. They threatened to pull their services out of the country instead of compromise on the end-to-end encryption features they offer their users.

Following the publication of the Investigatory Powers (Amendment) Bill, the social media giant Meta announced that it had started rolling out end-to-end encryption as a default globally “for all personal chats and calls on Messenger and Facebook,” potentially foiling any government attempt to issue a notice once the power became available.

Meta’s move, which has been one of the most commonly cited concerns about encryption by the British government, provoked criticism from officials, with a senior member of the National Crime Agency warning it would “no longer be possible” for Meta to keep children safe on its platform. Meta has cited several tools that it argues would enable it to continue keeping children safe.

In the letter to the Home Secretary, techUK's members argued that the proposed changes under the amendment bill were going to constrain product development and launches in Britain, and “could impede” tech firms from taking “immediate action to protect users from active security threats.”

A spokesperson for the Home Office told Recorded Future News that there was no intention for security patches to be covered by the notification requirement, and stressed that in a democracy decisions about security and privacy should be made by government and not multinational companies.

“We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption. But this cannot come at a cost to public safety, and it is critical that decisions are taken by those with democratic accountability,” the spokesperson said.

A techUK representative said that the trade association “supports the Home Office's aim of ensuring investigatory powers are effective” and noted that alongside its members it had worked with the Home Office “to find a balance between security and privacy” during the passing of the original legislation.

However, they argued that in its current form the amendment bill “escalates the possibility of conflicts of law, potentially impeding technological advancements aimed at bolstering consumer privacy, integrity, and security.”

The trade association said it was committed to working with the Home Office again “to make targeted changes to the Bill that we have outlined in our letter. We believe that would allow the Home Office to achieve its stated aims while also striking a balance for government, businesses and citizens.”