Is the UK about to ban end-to-end encryption?
A look at the upcoming changes to UK state surveillance law
This newsletter is about the the proposed amendments to the UK's Investigatory Powers Act 2016. It looks at the provisions concerning technical capability notices and the implications this may have for end-to-end encryption.
Here are the key takeaways:
The Investigatory Powers Act 2016 is the principal piece of legislation regulating state surveillance in the UK. It stipulates rules for the use of various surveillance powers by government agencies like MI5, MI6 and GCHQ.
Under that Act, a technical capability notice (TCN) is an instruction given by the government to a telecommunications operator to assist with the execution of surveillance powers. For example, the government could request an operator to remove electronic protection from it service or system to aid surveillance operations.
The Investigatory Powers (Amendment) Bill, if passed, would provide the government with the ability to future-proof TCNs. The government could request from a telecommunications operator information on any changes it plans to make to its services or systems that may impact its ability to provide assistance to the government.
Therefore, in theory, the Bill could give the government the ability to stem the current or future implementation of end-to-end encryption (E2EE) by certain service providers to help fulfil state surveillance operations.
However, when reading the IPA 2016 as a whole, the path to an E2EE ban is not so clear. This is because there are various provisions that would make it difficult to use a TCN in this way, such as needing to consider the impact on privacy and the technical feasibility of the notice.
It is therefore difficult to see how a TCN could actually be used to ban current and future implementations of E2EE to aid state surveillance operations.
What is the Investigatory Powers Act 2016?
The Investigatory Powers Act 2016 is the principal piece of legislation regulating state surveillance in the UK.
It stipulates rules for the use of various surveillance powers by government agencies like MI5, MI6 and GCHQ. It makes provision for seven different types of powers:
Interception of communications
Retention of communications data
Acquisition of communications data
Bulk personal datasets
Technical capability notices
National security notices
The IPA 2016 specifies the nature, scope and limits of these powers. Supplementing the Act are codes of practice that provide more detail on the practical application of the powers.
One important feature of the IPA 2016 is what is known as the 'double lock' mechanism. This is a system of review for the approval of warrants, notices and authorisations permitting the use of surveillance powers by government agencies.
Judicial commissioners (JCs), persons who have held high judicial office in the UK, are tasked with carrying out this review process.1 For each warrant, notice or authorisation, they must look at the conduct being permitted and determine whether it is both necessary for and proportionate to the objective being pursued.
Before these warrants, notices or authorisations are reviewed by the JCs, the government agency applying for them must also consider the conduct to be necessary and proportionate. These considerations by the JCs and government agencies make up the double lock mechanism.
Accordingly, the double lock mechanism ensures that the use of surveillance powers by government agencies is compliant with human rights law. This is an important aspect of the IPA 2016 that was missing from previous versions of UK state surveillance law.
What are technical capability notices?
Under the IPA 2016, a technical capability notice (TCN) is an instruction given by the government to a telecommunications operator to assist with the execution of surveillance powers.
These notices are used to facilitate the surveillance operations of government agencies when using their powers under the IPA 2016.2 This could be in relation to interception warrants, data acquisition authorisations, bulk acquisition warrants or equipment interference warrants.
TCNs can therefore contain a range of obligations that a telecommunications operator must fulfil. These include:3
Providing facilities or services of a specified description
Obligations relating to apparatus owned or operated by an operator
The removal by an operator of electronic protection applied by or on behalf of that operator to any communications or data
Obligations relating to the security of any telecommunications service provided by an operator
Obligations relating to the handling or disclosure of information
The IPA 2016 has a very wide definition of 'telecommunications operators'. It effectively covers a wide range of entities providing communications services, including public networks, online storage providers and messaging applications.4
There are four key rules that government agencies must follow when issuing TCNs:
The obligations contained in a TCN must be necessary for and proportionate to the objective pursued, which is ensuring that the telecommunications operator can provide assistance to the government agency executing its surveillance powers.5
TCNs must be reviewed by a JC for their necessity and proportionality under the double lock mechanism.
TCNs relating to interception and equipment interference warrants cannot be imposed on telecommunications operators that do not provide a service to more than 10,000 users.6
TCNs cannot be issued to telecommunications operators solely providing banking, insurance, investment or other financial services.7
Additionally, the government must also consult the telecommunications operator before serving them with a TCN. In doing so, the following factors must be taken into account:8
The likely benefits of the TCN
The likely number of users (if known) of the service provided by the operator
The technical feasibility of complying the TCN
The likely cost of complying with the TCN
Any other effect of the TCN
Telecommunications operators can challenge TCNs if its obligations are unreasonable.9 They can refer it back to the government for review requiring JCs and technical experts to consider the pros and cons of the TCN, resulting in either its variation, revocation or replacement.
Finally, operators served with a TCN must keep it secret from the public.10 Permission is needed from the government before revealing anything about its existence or contents.
What changes does the Bill make to TCNs?
The Investigatory Powers (Amendment) Bill, if passed, would provide the government with the ability to future-proof TCNs.
The December 2023 version of the Bill would give the government the ability to request from a telecommunications operator information on any changes it plans to make to its services or systems that may impact its ability to provide assistance to the government.11 [fn, Clause 20 of Bill] This would complement the provisions already contained in the IPA 2016 on TCNs.
However, the Bill does not itself specify what changes the government must be notified of. The merely states that the types of changes in scope are ones that impact the ability of the operator to provide assistance in relation to a warrant, notice or authorisation made under the 2016 Act.
These notifications are subject to a number of rules specified by the Bill:
The notifications must be necessary and proportionate
The operator must consulted beforehand, requiring the government to consider the likely benefits of the notice, the number of users affected, the likely cost of compliance and any other effects on the operator
These notifications can only be required of operators that are either already providing assistance to the government or have done so in the past
If required to give relevant notifications to the government, telecommunications operators must also keep such requests secret from the public and comply with the requests within a reasonable time.
What does this all mean for E2EE?
In theory, the Bill could give the government the ability to stem the implementation of end-to-end encryption (E2EE) by certain service providers if it interferes with state surveillance operations.
The IPA 2016 could already be interpreted as permitting the government to request providers to remove E2EE currently implemented as part of its service. The Bill would permit the government to prevent any future implementations of E2EE.
This is due to the Act allowing TCNs to be used to request providers to remove 'electronic protection' applied to data on its service. The practical effect of this could be significant.
This is particularly because true E2EE deprives service providers of the cryptographic keys needed to decrypt the communications exchanged on its service. Accordingly, if a TCN requires the removal of E2EE, this may require the service provider to implement a different cryptographic model under which it can decrypt users' communications.
So in theory, the government could try to use a TCN to require a service provider to remove E2EE from its service or systems. But the important question here is whether the UK government would actually be able to do this?
During the passage of the IPA 2016, there was frequent discussion on requiring service providers to implement 'back doors' in encrypted communications to assist law enforcement and intelligence agencies. Part of these debates focused on TCNs being a potential way to impose such obligations.
However, when reading the IPA 2016 as a whole, the path to an E2EE ban is not so clear. There are three provisions in particular that would make it difficult to use a TCN in this way:
Double lock. Both the government agency applying for the TCN and the JC reviewing it must consider the obligations it is imposing to be necessary and proportionate. This process involves considering the general duties in relation to privacy, including the public interest in the integrity and security of the telecommunication system of relevance. [fn, s.2(2)(c)]
Reasonably practicability. The Investigatory Powers (Technical Capability) Regulations 2018 provides more detail on the obligations that can be included in a TCN. Those Regulations specify that the government can only request the removal of electronic protection where it is 'reasonably practicable' to do so. [fn para. 9(b) of Schedule 2]
Technical feasibility. For TCNs, regard must be had to the technical feasibility and likely cost of obligations relating to the removal of electronic protection applied to communications data to which the notice relates to. [fn, s.255(3)]
When considering these provisions together, it is difficult to see how a TCN could be used to ban current and future implementations of E2EE to aid state surveillance operations.