Unpicking the Investigatory Powers Leak

Neil Cook, Chief Security Architect, Open-Xchange

Neil-CookAt first I was very concerned at the reports on the recently leaked UK Investigatory Powers (Technical Capability) Regulations 2017 paper. Many commentators seem to think that this means that UK telcos will not be allowed to deploy solutions which use encryption (the Independent says the proposals “would effectively ban encryption”), particularly end-to-end encryption, and indeed will be legally required to introduce the dreaded “backdoor” to their systems (the Register says “UK organizations will not be allowed to introduce true end-to-end encryption of their users’ data but will be legally required to introduce a backdoor to their systems.”)

 

Rather than comment on comments, I thought it would be a good idea to read the leaked paper myself. After doing so, I have to say that in my opinion, the paper is not exactly what it is being portrayed in the press. I tried hard to find something that indicated that end-to-end encryption would not be allowed for example, but I could find nothing that did this (admittedly I am not a lawyer). The closest I could find was the following paragraph:

 

To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection.”

 

End-to-end encryption is by definition encryption that is not applied by or on behalf of an operator (otherwise it would not be end-to-end). Additionally, the “where practicable” clause would seem to explicitly exclude encryption which the operator cannot decrypt (make intelligible). I think it’s also worth pointing out also that the RIPA act from 2000 includes provisions that make it a legal requirement to hand over keys to the government when presented with the appropriate warrant, which means that end-to-end encryption is already covered by existing legislation (although clearly this is not a technical “backdoor”). The point here is that I don’t see anything which “bans” end-to-end encryption, or indeed encryption in general.

 

I have also seen a fair amount of hyperbole about the clauses in the technical capability paper referring to “realtime” lawful interception, suggesting that this will bring about unparalleled levels of mass surveillance (the Register states that “the UK government will be able to simultaneously spy on 6,500 folks in Blighty at any given moment”). Again I went back to the source, which states:

 

to provide and maintain the capability to simultaneously intercept, or obtain secondary data from, communications relating to up to 1 in 10,000 of the persons to whom the telecommunications operator provides the telecommunications service to which the communications relate.”

 

The government already has extensive lawful interception powers to intercept communications data; from my perspective the above doesn’t grant any new powers. Instead it simply states how many simultaneous users a telco must be able to intercept data from at any given time. For example, a telco with 5 million customers must be able to intercept up to 200 users simultaneously. To me, this figure actually seems quite low; software deployed at telcos that is capable of handling the communications traffic of millions of users should already be easily capable of simultaneously intercepting far higher numbers of users than 1 in 10,000.

 

Additionally, the only reference to “realtime” I can find in the paper is:

 

To provide and maintain the capability to ensure, where practicable, the transmission of communications and secondary data in near real time to a hand-over point as agreed with the person to whom the warrant is addressed.”

 

If we ignore for a moment the fact that “near real time” is a practically meaningless phrase, the above would appear to be referring to the “transmission” of data (i.e. sending the intercepted data); the only reference I can find to a hard time boundary on the interception of data is the “within one working day, or such longer period as may be specified” clause.

 

I’m not writing this to defend the UK government, what I’m trying to do is point out that since the RIPA Act in 2000, the UK government has had extensive powers to intercept data and to make data “intelligible”, whether by operators removing encryption that they have applied, or with powers to demand decryption keys from users. Specifically this leaked technical capability paper doesn’t appear to me to provide any new powers, and does not by itself, again in my opinion, “provide the government with the legal authority to monitor anyone in the UK in real time, as well as effectively make strong and unbreakable encryption illegal”, as claimed by the Register.

 

I wonder if there would have been quite so much fuss over this paper had it been published publicly rather than being leaked.