Monday, 30 November 2015

Draft Investigatory Powers Bill Select Committee

I have never watched a parliamentary select committee before. It is worse that watching debates in The Lords to be honest, and I have had to start another bottle of whisky...

This is a lot of questions to the "witnesses" and they give answers.

Now, a lot of the answers make sense, but it is not clear that the answers have to actually reflect the bill. They answer saying how things will be done or what processes are in place, even when the actually wording of the bill may not match what they say - as far as I can see. They could waffle and that would be it. Maybe I do not understand the process.


I was rather concerned over the questions regarding encryption. Basically the bill says, in the explanatory notes, that RIPA already requires a CSP may be required to be "maintaining the ability to remove any encryption applied by the CSP to whom the notice relates".

This is a big problem - and iMessage is a very good example - someone asked many times how this tackles iMessage and the fact it is end-to-end encryption. The responses were waffle and somewhat contradictory (the classic "encryption in important" and "we much have a way to view terrorists communications" dilemma).

The question that needs to be clearly asked is "will you ban Apple operating iMessage with end-to-end encryption" and that is key.

I need to track down the clauses in the bill and RIPA.

4 comments:

  1. In RIPA, it is an obligation which can be imposed under a maintenance of capability order, under paragraph 10 of the Schedule to Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002.

    In the draft bill, it is part of the broad power to require a provider to maintain technical capability, in s189. It is called out by way of example in s189(4)(c), but this is just an example, and not a limitation.

    The two positions can be contrasted: under the 2002 Order under RIPA, the list in the schedule sets out everything that the SoS can impose: it is exhaustive unless the Order is amended. Under the draft IP bill, there is no limited list of obligations, but rather anything the SoS considers to be reasonable, with some examples which are not limiting.

    ReplyDelete
    Replies
    1. Thanks - I thought you may be able to clarify for me - ultimately does this mean that a company like apple could be expected to change their systems so that iMessage is not end-to-end encrypted, and, of course, not even be allowed to tell people about that? Assuming of course that the company that runs iMessage, based in Luxembourg, cares to take notice of such an order.

      Delete
    2. The other point is that this only applies to CPs. A company making software that provides end to end encryption is not subject to such orders - correct? If Apple were in UK and wanted iMessage to be end to end, they could sell an app that does end-to-end encryption separately to the servers that perhaps just provide an xmpp platform which the app uses.

      Delete
    3. I also assume a CP ordered to provide a means to unencrypted communications is not somehow liable for being unable to break the laws of mathematics (?!) where a third party app or s/w is being used to provide end-to-end encryption and as such they simply cannot comply?

      Delete