Spying on MPs and breaking encryption: New UK legislation damned as “unprecedented” – and “deeply troubling”
Apple says new rules “significantly widen the powers and exacerbate the flaws inherent in the Investigatory Powers Act”
Sweeping amendments to UK legislation being rushed through Parliament this week would let more ministers approve the right to spy on MPs under certain circumstances – and force technology companies to pre-disclose security changes that make surveillance challenging for British officials.
Blasting the Investigatory Powers (Amendment) Bill, Apple said “the breadth of these reforms is unprecedented, and the potential impact on the security of technology users across the world cannot be understated.”
In a joint March 22 letter, organisations including industry group techUK added that “rushed passage of this legislation has hindered proper scrutiny and risked “opening the door for indiscriminate, arbitrary interference with users who are not the targets, via the introduction of systemic vulnerabilities that would pose security and privacy risks.”
How could HMG interfere with vendors?
Close readers will need a sharp eye for legal gobbledegook to understand what the Bill aims to achieve, but a "pre-notification" requirement has been singled out by the likes of Apple has particularly problematic.
This would furnish HMG with new powers new powers to make tech providers pre-brief the government of any changes to their offerings that could impact its ability to access user data.
Per the Bill itself: "Regulations under subsection (2) may in particular specify changes by reference to the impact of the changes on the capability of relevant operator to provide any assistance which the operator may be required to provide in relation to any warrant, authorisation or notice issued
or given under this Act."
Per Apple: "In its response to the public consultation on the notices regimes, the Home Office asserted that the pre-notification requirement "is not intended as an approval mechanism," and that '[t]here will be no method within the notification requirement itself for the Secretary of State to intervene in any way with the decision the operator has chosen.' But that mistakes form for function. Once a company is compelled to provide notice of a new security technology to the SoS, the SoS can immediately seek a Technical Capability Notice to block the technology.
The Bill had its third reading in the Commons on Monday, and will be sent to the Lords for final amendments, before receiving Royal Assent. Just 38 MPs out of 650 Parliamentarians voted against the bill. As Joe Bambridge, Deputy Editor of Politico Europe noted, the figure emphasised that "civil liberty arguments have almost zero cut through the current crop of MPs."
Matthew Hodgson, co-founder of secure collaboration platform Element, told The Stack: "This was already a highly contested bill when it first passed in 2016, so it was disheartening to see so few parliamentarians engaging with it and even fewer opposing amendments..."
See also: UK’s spy agencies grapple with prosaic IT modernisation – as GCHQ ramps up its hacking capabilities
Apple described the Bill as forcing tech firms to make an “impossible choice between complying with a SoS [Secretary of State] mandate to secretly install vulnerabilities into new security technologies (which Apple would never do), or to forgo development of those technologies altogether as threats to users’ data security continue to grow.”
By broadening the powers of HMG to demand that technology providers facilitate surveillance it could, "or the consumer in, say, Germany... represent hacking of their data by an Irish business on behalf of the UK state under a bulk warrant - activity which the provider is not even allowed to confirm or deny. Maintaining trust in such circumstances will be extremely difficult."
Investigatory Powers (Amendment) Bill gives more ministers powers to approve surveillance of MPs’ communications
The bill also ramps up the powers of civil servants to demand the interception of MPs’ communications under certain conditions.
Where the 2016 legislation requires this to be approved by the Prime Minister, the new bill adds that a) Where the PM has the “incapacity or inability to access secure communications” or b) “The Secretary of State or a senior official considers that there is an urgent need for the decision” this could be delegated to up to five other Secretaries of State.
The initial act was passed in the light of Edward Snowden's revelations about massive state surveillance; legally approving surveillance powers used by intelligence agencies, and giving some of their uses to the police.
The 2016 act also created additional surveillance powers, including Internet Connection Records (ICRs), which required ISPs to hold data about the websites users visit and the devices that they use.
It also made explicit the right of security services and police to hack into and bug computers and phones. And it placed new legal obligations on companies to assist in these operations to bypass encryption.
I spy
UK tech policy specialist Heather Burns said the 2024 amendment was designed as a review and update of the Investigatory Powers Act.
However, its Clause 21, creates a very new notices regime. The bill in effect, seeks to allow the UK government to pre-approve new security features introduced by tech firms. It is extraterritorial legislation – it would apply to any company whose services can be accessed in the UK.
"As it is intended to work, the Home Secretary will be able to request that a company desist from rolling out privacy or security updates which could be seen to impede the ability of the security services to engage in either bulk or targeted data collection," said Burns speaking to The Stack.
"These powers are widely understood to refer to end-to-end encryption and, as with all tech legislation in the UK, myopically focused around Meta. But as always, in targeting one thing in one company, the UK has effectively legislated over the entire open internet - which they rather arrogantly see as a good thing," she added. Burns highlighted the risk this poses in one scenario. Companies are unlikely to roll out "UK-specific" versions of their products and services, which are inherently less stable and secure; instead choosing to exit the market entirely, she suggested.
The second scenario is arguably worse: "Compromised privacy and security for one is compromised privacy and security for all," said Burns. "A messaging app which compromises its security, just to keep London happy, has put that compromise into the system and into the wild for any other authoritarian-minded nation to copy," she emphasised.
Another concern critics have is that the amendment expands intelligence agencies' powers to surveil bulk personal datasets. Big Brother Watch, a civil rights organisation that has campaigned against the bill, shared expert briefings with all MPs before the amendment was brought to vote.
The bill was pushed through following the UK government's calling out of China sponsored cyber-attacks within the UK. Silkie Carlo, a Director at Big Brother Watch, said it was "ironic" that government would expand its own surveillance powers while decrying foreign espionage.
The Home Office was dismissive of industry concerns, saying that it did not recognise the claims made in techUK’s letter and insisting that the bill will make urgent, targeted changes "to reflect the reality of modern threats to national security whilst utilising the necessary tools to keep the public safe, underpinned by world-leading safeguards and oversight."
The Home Office claims the bill is necessary to keep the nation safe from child predators and terrorists. However, most experts disagree.
From Bad to Worse?
"We agree with the Home Office’s goal of safeguarding children online, but a worthwhile goal is no excuse for an awful bill," said Ayesha Bhatti, a policy analyst at ITIF's Center for Data Innovation. ITIF is a signatory to the techUK letter.
"In this case, the current proposal unnecessarily puts individual privacy and security at risk and lacks sufficient checks and balances to ensure that any government surveillance is done with as little intrusion as possible."
"A hasty bill (such as this one) will potentially expose Internet users to greater harm. There are better ways of getting this done," Bhatti noted.
Apple’s view? "The UK seeks a power that no other country has claimed.”
The industry consensus is clear – it's a bad bill on all fronts, civil, economic, technical: "The IPAA debate was an incredibly rare instance of civil society - even digital rights groups - and the tech sector being in total agreement with each other," said Burns. "When groups that are normally at each other's throats are saying the same thing, you'd better listen."