A group of technology firms, including cybersecurity player F-Secure, has signed an open letter opposing the UK government’s controversial Investigatory Powers Bill, which threatens to mandate that the authorities can bypass encryption to read the content of messages.
The letter which will be announced at the Parliament & Internet Conference this morning, is intended to inform and influence the debate ahead of the bill’s scrutiny by a joint committee this autumn.
Specifically, it warns of the economic impact of prime minister Cameron’s state ambition to ban any end-to-end encryption where the service provider does not have access to decryption keys.
It claims:
“The encryption we all depend on (from banking transactions to the sending of customer data by businesses transferring our personal, financial and health records) has to be fully secure to work… By making us business partners who cannot be trusted by their users, the government places our reputation and future at risk.”
F-Secure security adviser, Sean Sullivan, argued that if the service provider is mandated to retain the all-important decryption keys they are at a greater risk from hackers.
“If we don’t hold the data, we cannot lose control of it. That’s just good security,” he told Infosecurity by email.
“That’s the direction that OTT communications software is moving to as well. That’s what UK security intelligence fears, and that’s what they want to prevent. It’s foolishness.”
Another risk is that if one government—i.e. the UK—is able to require a tech provider to hand over decryption keys, then another—such as China—could do the same to that provider if it operates in their country, further undermining the security of such a service.
“China doesn’t need a warrant—it can demand unwarranted access or else tell the company/service to get out of China. Apple does a lot of business in China now. Does the UK want to risk its security to Apple’s business decisions?” Sullivan argued.
“Anything ‘made for the UK’ will be looked down upon—and the bad guys will just use other software anyway. So why damage businesses in this way?”
Minister for internet safety and security, Baroness Shields, reportedly told the House of Lords this week that the government has “no intention” of weakening encryption in the upcoming legislation—dubbed the ‘Snooper’s Charter’.
However, she apparently then went on to contradict herself by arguing that companies like Whatsapp that provide end-to-end encryption must be subject to decryption in extremis.
Sullivan argued that UK politicians often confuse the issue because they fundamentally don’t understand the technology, such as the difference between end-to-end encryption and a system where the provider holds the decryption keys.
“There aren’t good encryption methods and bad ones. Security is a process and end-to-end encryption is the latest stage in the evolution,” he concluded.
“There’s no real choice but to move forward with it or else go extinct.”