A little-known clause in the Investigatory Powers Bill contains plans that would force internet, phone and technology firms into giving both government and cyber spooks advance access to any new products or services launching in the UK to ensure they are able to intercept sensitive data.
The policy was uncovered deep within the draft Code of Practice document that was released in March this year alongside the much-criticised surveillance bill – which has been branded a Snoopers' Charter by its many critics. If the proposals were to pass in their current format, any firm working with communications data in the UK – which includes phone and internet records – would be obliged to abide by the law or risk being sued.
The legislation states: "The communications market is constantly evolving and communications service providers subject to technical capability notices will often launch new services. [Providers] subject to a technical capability notice must notify the government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the [company] to provide a technical capability on the new service."
These "technical capability notices", as described in the bill, will be used to compel UK firms to intercept communications data and retain it for police services to access at a later date once they receive a warrant. In this context, firms such as Microsoft, Twitter or Google – all of which operate on a global scale – would be forced to work closer with the UK government than ever before.
Smaller firms operating in the UK with fewer than 10,000 customers or users are not exempt from the policy, the documents reveal, however they will not be required to provide a so-called "permanent interception capability" required of the bigger industry players. Additionally, for any firms planning to partake in an Apple-like protest on surveillance, the legislation notes the government can easily take legal action to force compliance.
The clause in question, Section 217 of the draft Code of Practice on Interception of Communications, was first analysed in detail by Privacy International, which claimed its inclusion in UK law would signal an attempt to circumvent end-to-end encryption now used in popular apps such as Facebook's iMessage and WhatsApp.
While UK law enforcement officials have long argued that encryption is hampering police investigations, it remains extremely vague how the government will be able to enforce this law on global technology firms. IBTimes UK contacted the Home Office for comment however had received no reply at the time of publication.
Tech companies respond
In a blog post, Camilla Graham Wood, legal officer at Privacy International, said: "The tech companies have raised concerns that technical capability notices will undermine encryption and they demand that where a service is encrypted end-to-end then the bill should recognise that it will not be reasonably practicable to provide decrypted content."
She added: "The Investigatory Powers Bill was trumpeted as bringing greater transparency to UK surveillance practices. Technical capability notices are just one feature of a new shadowy surveillance framework."
Following publication of the spy bill, techUK, which represents more than 850 companies including Apple, Microsoft and Samsung, said: "Although the government has been at pains to stress that it is not restricting or weakening encryption, and that all requirements in the bill regarding the 'removal of electronic protection' are already provided for in current legislation, further scrutiny around this is needed. The draft bill could be interpreted as giving the government the power to request companies to compromise their software in order to make encryption less secure in order to give an effect to a warrant."
Despite facing widespread criticism from politicians, privacy groups and service providers, the bill is expected to be made into law by the end 2016 before the sunset clause on the current DRIPA legislation expires in December.
Should firms be forced to give advanced access to products and services? Let me know your thoughts via email: firstname.lastname@example.org or on Twitter: @Jason_A_Murdock