Saturday, 6 May 2017

Banning end-to-end encryption

This is more of a rant, sorry.

The Investigatory Powers Act has some wording in it which may, or may not, be an attempt to ban people providing end-to-end encryption services. The Register article assumes the worst, and others have said, sensibly, that maybe they are reading too much in to it.

We are talking about WhatsApp, signal, iMessage, and all sorts of commonly used and secure applications which many normal, non criminal, citizens choose as a platform with which to communicate.

The whole thing of encryption applied "by the telco or on their behalf" is the unclear area, and when the telco might be "WhatsApp" does that ban them from offering end-to-end encryption as part of the app?

It is unclear.

Now for the bit that pisses me off here, sorry.

The government created this wording in the bill that resulted in this Act. There were asked if they intended the wording to ban end-to-end encryption services. They basically refused to give a straight answer. Lord Strasburger tried to get an answer.

At the end of the day there is no reason for this ambiguous wording in the Act. If the government had made the intention clear - ban it or not ban it - then the wording could have been made clearer.

The result of this is ...
  • Parliament did not actually decide if to ban or not ban end-to-end encryption as they did not have the details of the government intention - they were left to guess from the wording, which seems to be deliberately unclear.
  • Now it is an Act, the government can interpret as they wanted to in the first place, or as future governments may choose to, which is possible even worse.
  • The Act allows for gagging orders so nobody will know what they have "interpreted" and it will be hard to challenge it (and the big telcos may not try).
This is not the way to run a county or make laws! The government should have been clear as to whether they wanted to ban end-to-end encryption apps/systems up front when the bill was debated in parliament.

If they do, then that could have been debated, and maybe even decided that it is a bad idea. It is a bad idea, TBH, as criminals can always do this anyway, so the only people you expose are normal non-criminal citizens.

If they do not, then that could have been made clear in the wording and not allowed creative interpretation by this government or future governments.

Why do we allow laws to be made in this way - the process was positively underhand!

I really hope the whole things gets reviewed or repealed soon.

P.S. Just to be clear - there are plenty of cases of laws trying to cover the possible future we cannot envisage - when this was made law applications like WhatsApp and signal and iMessage existed, so they could have addressed this clearly. Simply not being able to guess the future is more excusable.

7 comments:

  1. The law is not meant to be definitive Adrian, it is always changing and open to interpretation.

    I appreciate that's likely to annoy you ;) but the alternative is a strict set of rules which are very hard to change even for edge-case situations.

    The problem (IMHO) is that Parliament is sovereign in England, not the people or the crown - the opposite is true in Scotland (& most other places) where people are sovereign & that's been law for 800 years.

    The English system is a mess where (unnamed) govt ministers can be effectively be granted sovereign powers without any oversight. Most bills which require parliamentary assent are written such that modifications to the bill require no assent or oversight. The fact that May wanted "Henry VIII rights" shows how fucked up Westminster is - the idea that we're going back 500 years to a monarchical society/dictatorship where the King was at best "disturbed" (sociopath seems more appropriate) for law on democracy is ludicrous but that's English law/politics for you.

    Its a mess. Deliberately so IMO as then there's always "wiggle room" for those who can pay.

    /cynic mode off, oh wait that switch failed some time ago ;)

    tl;dr English law is an enigma.

    ReplyDelete
    Replies
    1. Still, it is unclear whether or not the government can use this shining new act to lawfully ban the use of end-to-end encryption. That was the whole point, wasn't it?

      Delete
  2. The Secret Services want what they want, and the Home Office makes sure they get it. That generally means the law is worded to allow whatever the Secret Services would like, while at the same time not revealing to parliament or the public what that is, because they might object.

    About the only upside of this is that the law has to be be ambiguous to satisfy both requirements.
    And if people like yourself aren't there to make a fuss then they will just be able to take the maximum interpretation of the law. With enough fuss, they're stuck with less than that. So thank you. You make a big difference.

    ReplyDelete
  3. This is largely parliament's fault - if there is vague wording in an bill and the government refuses to go on record saying what they intend that to mean, parliament should just refuse to pass the bill until they do.

    Unfortunately there seems to be next to no way to hold politicians, and the government in particular, to account. Lieing, misdirection and borderline criminal behaviour from politicians seems to be tolerated by the authorities with little or no punishment.

    ReplyDelete
  4. I'm not an expert on such matters, but isn't it the judiciary's job to interpret the law?

    It doesn't matter what the government think: the courts decide.

    ReplyDelete
    Replies
    1. Yes but with secret orders to telcos it does not easily get seen by courts unless the telco wants to kick up a fuss. And until a court says otherwise the government will assume its interpretation is valid.

      Delete
  5. The gag orders don't work unless the telecommunications provider is willing. (Moreover, recall that in RevK's meeting with the home office, they stated that ISPs asked for them. They're just theatre so that ISPs can have an excuse if the public ever condemns them for keeping this stuff secret. The major ISPs have no compunction about complying with these measures, so long as nobody can blame them for it and they have a getout from data protection law.)

    Testimony given by the intelligence services in the Intelligence and Security Committee prior to passage of the Act states that they always contact the service provider to ascertain what would be practical for them to comply with prior to issuance of a notice. This means that the state always tips its hand as to its intent to issue a notice prior to issuing it. A telecommunications provider playing work-to-rule with regard to the Act could elect to inform the public whenever the state contacts them for the purposes of ultimately issuing a notice.

    Even if a telecommunications provider published this as an official policy, and the state observed this and tried to get around it by issuing a pre-emptive, overly broad notice in ignorance of what would be feasible for that provider, with the intention of then meeting so that it can be replaced with one more tailored, this arguably wouldn't work, because publishing the mere statement "The state has expressed a desire to meet with us for the purposes of discussing the future issuance of a (Technical Capability Notice/Data Retention Notice/National Security Notice)." does not reveal the existence of any prior such Notice, and as such does not violate the gag order. Moreover such a pre-emptive notice would arguably be an abuse of power.

    ReplyDelete