_KUBE_ - stock.adobe.com

Security experts: Investigatory powers plans will delay security updates

Cyber security experts warn that government proposals to amend the Investigatory Powers Act will limit tech companies’ ability to respond to security threats and could hamper the use of end-to-end encryption

Some 30 cyber security experts, cryptographers and academics have written to the home secretary, James Cleverly, urging the government to reconsider amendments to the UK’s surveillance laws, which they warn will introduce significant “bureaucratic hurdles” to patching security vulnerabilities in computer systems.

The proposed changes to the Investigatory Powers Act 2016 (IPA), also known as the snoopers’ charter, would exacerbate the “unprecedented and growing threat of cyber crime” for internet users around the world, and particularly the UK, the group says in an open letter.

The letter also raises concerns that measures proposed in the Investigatory Powers (Amendment) Bill, currently going through Parliament, could be used to block or delay tech companies from introducing end-to-end encryption on messaging and email services.

The signatories, acting in a personal capacity, include Philip Zimmermann, developer of PGP encryption software; Jon Callas, co-founder of PGP and former senior scientist at Apple; and Tarah Wheeler, senior fellow for global cyber policy at the Council on Foreign Relations (CFR), a Washington-based think tank.

Other signatories include Marwan Fayed, a visiting professor and research lead at technology company Cloudfare Research, and Mallory Knodel, chief technologist at the Centre for Democracy and Technology and a member of the Internet Architecture Board.

Notifications regime

At issue are two proposed changes to the Investigatory Powers Act. The first is the introduction of a “notification notice” that would require technology companies to inform the government before they make technical changes to their services that could impact existing arrangements to provide lawful access to government agencies.

A second requirement will prevent technology companies from making any changes to their systems if they appeal against a government notice until the appeal review is complete.

“If enacted, these proposals [to the Investigatory Powers Act] would have disastrous consequences for the security of users of services in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates”
Open letter from cyber security experts, cryptographers and academics

Security experts argue that taken together, the measures could lead to significant delays in companies updating their systems in response to new security threats.

“If enacted, these proposals would have disastrous consequences for the security of users of services in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates,” said the letter.

“They would orchestrate a situation in which the UK government effectively directs how technology is built and maintained, significantly undermining user trust in the safety and security of services and products,” it added.

The open letter points out that cyber crime will cost consumers and businesses £8.4tn annually by 2025. It quotes figures from the Department for Science, Innovation and Technology, from April 2023, that 26% of medium-sized businesses and 37% of large businesses had fallen victim to cyber crime over the previous 12 months.

“By interfering with the ability of operators to swiftly deploy software updates to patch vulnerabilities, these proposals would weaken security protections and exacerbate these risks, not only for the operators in the UK, but for all their users worldwide,” said the letter.

The Investigatory Powers (Amendment) Bill gives no indication of how long the government will take to complete a review of any objections from technology companies that receive a notice requiring them to modify their systems.

Threats to encryption

A government spokesperson told Computer Weekly that there was no intention to use the Investigatory Powers Act to force technology companies to weaken end-to-end encrypted services.

However, the government has also made statements in recent years calling for tech companies to provide law enforcement with access to encrypted communications – a move that cryptographers argue “would break encryption”.

According to the letter, “notify and freeze” proposals in the amendments to the Investigatory Powers Act would give the UK government the capability to prohibit or block product updates that would introduce end-to-end encryption by default.

Read more about the Investigatory Powers Act review

When combined with other measures, such as the Online Safety Act, which gives regulator Ofcom powers to require technology companies to scan encrypted messages for child abuse content, security experts said the new powers could be used to block or weaken end-to-end encryption.

Section 253, part 5(c), of the Investigatory Powers Act, for example, gives powers to the government to issue Technical Capability Notices to remove or modify “electronic protection” applied by tech companies to communications data.

“Cryptographers and security and privacy experts have long been concerned that the notice authorities in the IPA could be used to force operators to build backdoors, or prevent them from employing decryption by default on their services,” the letter stated.

The signatories say they are “deeply concerned” that the proposals are “anathema to the best interests of UK citizens and business and internet users everywhere”.

Meta encryption plans may be targeted

Mallory Knodel, chief tech technologist for the Centre for Democracy and Technology, and one of the signatories to the letter, said there were concerns that if the amendments to the Investigatory Powers Act became law, ministers would use them to freeze or delay plans by tech companies to roll out end-to-end encryption.

Meta has been repeatedly criticised by governments, including the UK, over its decision to roll out end-to-end encryption on its Facebook, Messenger and Instagram services.

In April 2023, the Virtual Global Taskforce, an alliance of 15 law enforcement agencies, including the FBI and the UK’s National Crime Agency, criticised Meta’s plans to deploy encryption as a “purposeful design choice” that would weaken the ability to keep children safe.

In September 2023, then home secretary Suella Braverman weighed in to challenge Meta to either introduce technology to protect children’s safety online or to abandon its plans for end-to-end encryption altogether.

Knodel told Computer Weekly: “You don’t come out with a strong statement like that and then not do anything even though the law provides for you to do something about it.”

Other technology companies are understood to be waiting to see what the UK’s reactions to Meta will be before talking publicly about their own plans for encryption.

They include companies such as X, Discord and Slack, which are facing pressure from civil society groups to secure their services with end-to-end encryption.

“We are really pushing companies to adopt end-to-end encryption sooner rather than later so that when regimes, democratic or otherwise, use policy-making to try to weaken that technology, they have a really steep hill to climb,” said Knodel.

Defacto powers

The open letter follows an intervention by the technology trade group TechUK, which represents 1,000 technology companies. It warned on 30 January 2023 that amendments to the IPA could grant the UK government a de facto power to veto companies from making changes to their products and services in the UK and other countries.

“Instead of focusing on improving users’ privacy and security, firms’ attention would have to be diverted towards fulfilling the surveillance needs of government. This is of particular concern in the world where threats to users’ data security continue to grow,” TechUK said in a statement.

Home Office – no plans to restrict security patches

The Home Office maintains there is no intention for security patches to be covered by the notification requirement in the Investigatory Powers Act and that it would never stop a security patch to a system.

A government spokesperson said: “The first job of government is to keep the country safe. Investigatory powers are an essential tool for protecting our citizens and they have existed since the 1980s. 

“We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption. But this cannot come at a cost to public safety, and it is critical that decisions are taken by those with democratic accountability.”

The Investigatory Powers (Amendment) Bill is awaiting its second reading in the House of Commons.

    Notices that can be served on tech companies

    Data retention notice

    The secretary of state may issue a data retention not to require a public telecommunications operator to retain relevant communications data. This includes data such as the when, where, time and duration of a phonecall, email, or other communication, but not its content.  

    Technical capability notice

    The secretary of state may impose obligations on a telecommunications operator to install technical capabilities to assist government agencies in implementing an interception warrant, equipment interference warrant, or a warrant or authorisation for obtaining communications data.

    National security notice

    The secretary of state has the power to issue a national security notice to a telecommunications operator in the UK requiring it to take steps considered necessary in the interests of national security.

    Notification notice

    Notification notices, if enacted, will require telecommunications operators that provide exceptional lawful access to their systems and data of “significant operational value” to inform the secretary of state of planned changes to their platform, including technical changes that could affect existing lawful access capabilities. Unlike other notices, the notification notice does not require the approval of an independent judicial commissioner, removing a layer of oversight.

    Read more on Regulatory compliance and standard requirements