The British government is planning a comprehensive reform of the controversial Investigatory Powers Act (IPA), which could have a massive impact on global IT security. According to a recently published consultation paper, operators such as WhatsApp, Signal, Threema, Google and Apple should inform the Ministry of the Interior in advance of planned changes to their services that could negatively affect investigative powers. The department should then be authorized to issue a veto.
Advertisement
“This is intended to facilitate early cooperation between operators and the government” in order to be able to take countermeasures in good time if necessary, it says in the template. It is important to be able to “guarantee the continuity of lawful access to data against the background of changing technology” and to maintain existing possibilities for eavesdropping in classic telephony.
extent difficult to estimate
With the proposal, the government does not specifically state which technical changes would require a notification, writes Ioannis Kouvakas, deputy general counsel at the British civil rights organization Privacy International, currently in Just Security magazine. However, this would probably include modifications in the architecture of software that would conflict with the current monitoring powers of the British authorities. The legal expert explains: “As a result, an operator of a messaging service who wants to introduce an extended security function must first notify the Ministry of the Interior.”
Kouvakas sounds the alarm: “Device manufacturers would probably also have to notify the government before they provide important security updates that fix known vulnerabilities and ensure the security of the devices.” Accordingly, after receiving such advance notice, the Interior Minister could then ask the operators to refrain from closing security gaps. The government is particularly concerned with maintaining access to electronic communications for surveillance purposes.
Extensive powers already
According to Kouvakas, the current IPA and related regulations could already allow the UK executive to “require companies to change their services in a way that may affect all users”. For example, there is a note on technical performance that prescribes the “removal of electronic protection by a relevant operator”. This could be used to force a service like WhatsApp or Signal to remove or undermine the end-to-end encryption of the services it provides worldwide. The government would only have to demonstrate that such a measure is proportionate and appropriate.
Advertisement
The British initiative, under the guise of preventing terrorism and crime, comes at a time of intense global debates about the importance of cyber security and constant attempts by governments around the world to undermine security measures such as strong and end-to-end encryption with the “Crypto Wars”. In Great Britain, the Online Safety Bill, which is no less contested, is also on the table. In the EU, the dispute is raging over chat control, which points in the same direction.
Against EU human rights convention
Against this background, Kouvakas sees the main problem with the outlined IPA reform in the fact that Great Britain could violate international human rights standards. In particular, the envisaged measures are unlikely to pass the necessity and proportionality test enshrined in Article 8 of the European Convention on Human Rights, which guarantees the right to respect for private life. Earlier, Apple also sharply criticized the plan during a consultation and threatened to withdraw from the British market if necessary. The iPhone maker assured that it would never weaken its security features for a single country, as this would affect all users globally.
(mki)