Retaining your privacy despite new law

With the UK’s Investigatory Powers Bill through its second reading in the House of Commons, a mere 15 votes being cast against, the UK has moved another step closer to the Investigatory Powers Act (IPA) making it the most totalitarian former democracy on the planet.

In the US, the situation seems little better, as outgoing President Obama has made clear his disinterest in maintaining the security of encryption, and the most likely candidates as his successor not appearing to stand for anything substantially different.

All is not lost yet: we are still not reduced to having to whistle Monty Python’s Always Look on the Bright Side of Life. Should it come into force later this year, the IPA will not change the way the law works with respect to the use of encryption by individuals, which will remain completely legal.

However under the existing Regulation of Investigatory Powers Act (RIPA) 2000 – which IPA will not replace – you can be ordered to provide your encryption keys. Already several people have been tried for refusing to surrender their keys when so directed, and one was sentenced to more than a year in prison as a result.

However, the big difference between the powers of the IPA and RIPA in this respect is that this is not covert and occurs under judicial scrutiny. I am sure that every law-abiding citizen will do everything they can to co-operate with police and similar investigations. For the time being, although you can be threatened with incarceration, at least you should not be tortured into surrendering your keys.

The IPA’s main targets are the companies which provide communications services, from Internet Service Providers (ISPs), through those which supply hardware such as smartphones, to anyone offering software supporting services such as VPN and encrypted messaging. All those operating in the UK come within the IPA’s direct scope, meaning that UK law enforcement and security agencies can get the Home Secretary to serve a Technical Capability Notice on them to open up any encrypted communications or data.

Switching to an offshore service is no protection from this prying either. The UK government intends the IPA to apply worldwide, although its success in forcing wholly overseas companies and organisations will be determined by their domestic legal support. IPA also has to take into account local legislation: in a country with strong legal protection for the right of privacy, this should make UK law essentially unenforceable. Unfortunately, by the end of this year the US is not likely to be such a safe haven.

One of the most sinister indirect consequences of IPA is the destruction of our trust in suppliers of encryption and related forms of security. Some will be compliant with UK law and probably quite relieved to co-operate under a blanket of secrecy, so you will not know whether they have opened a backdoor when asked to under the IPA. Several have expressed the opinion that Apple would not do so in silence, although under the IPA this could open them to tough legal sanctions in the UK as a result. For the moment, I hope we can keep our trust in Apple and the other companies which have nailed their colours to Apple’s mast.

Otherwise we are left to rely on open source encryption: without experts being able to inspect its source code, the IPA will render closed-source encryption forever suspect. For example, OpenSSL is controlled by the OpenSSL Software Foundation. Although this has received sponsorship from US government departments, it seems most improbable that it could be doctored without detection; this also applies to the forked LibreSSL from the OpenBSD project.

Most critical will be effects on iOS and the devices which run it. There we do not have the option of running whatever open source tools that we fancy, and are reliant on Apple and app developers operating within its walled garden. It will be very interesting to see what options emerge over the coming months.

One thing though is certain: no one in the world will ever trust any UK communications or security hardware or software again, for fear that it has a backdoor, thanks to a Technical Capability Notice.