The UK government's controversial proposal to expand surveillance powers: What you need to know
Building on our response to the government’s plans, this piece explains why what they want to do puts every one of us at risk.
- The UK government wants to expand their current regime governing extremely intrusive surveillance measures like technical capability or national security notices. The latter can force companies to carry out surveillance or reduce security.
- Among other things, they want to be able to prevent companies from providing important security updates and ensure these powers would have a global effect.
- This proposal puts everyone using online services at risk and threaten the whole internet.
In June 2023, the UK government announced its proposal to expand its surveillance powers by, among others, forcing communications operators to undermine encryption or abstain from providing security software updates globally. Building on our response to the government’s plans, this piece explains why what they want to do puts every one of us at risk.
Why your trust (to technologies you use) matters
Surveillance and privacy are complex concepts to grasp – it’s part of the appeal to us at PI. Even after the pushback to 9/11 surveillance measures, the rise of Big Tech and Edward Snowden’s revelations, because of their invisible nature, they remains challenging to understand how intrusions upon privacy affect our daily lives. However, even if you do not utter the process, you rely on an implicit idea that when you interact with some technologies, you are safe from being watched over or heard. When we have a conversation with our therapist, our friends or our partner using those same technologies, we usually do it freely, mainly because we think it is private. You may not know the technicalities that protect this confidence or how this security works, but ultimately you hope to trust. At PI, we work hard to try to understand, and even with our experience and expertise, we sometimes struggle to see behind it all.
But why do we trust? When you build a relationship with a company and abide by a contract, you do it because you think it will protect you from unlawful intrusions. You also believe that the company will abide by laws or regulations that comply with human rights standards. Ultimately, you trust because you believe you interact in a safe, regulated environment. This trust, however, is not bulletproof. It can easily change when these expectations still need to be met. Suppose your personal data have been part of a company’s data breach or that you live in a country where the government routinely prosecutes human rights defenders or silences dissent with the help of private actors. In that case, your trust will decrease. Ultimately, you only trust if you have good reasons to do so.
Trust takes a lot of work. It must be built in good faith, certainly. It must also be maintained continuously. Practically, this takes the form of continuous improvements to security and privacy practices we use every day. When everyone is working towards this positive outcome, we maintain a trustworthy ecosystem.
What’s the deal with National Security and Technical Capability Notices?
Nowadays, much of this hard work can be undermined by the existence of extremely intrusive surveillance powers such as those held by the UK Government. The introduction of new surveillance legislation in the UK, the Investigatory Powers Act (IPA) 2016, did not make the ecosystem any safer for almost anyone using telecommunication services. This regime grants UK Government powers that are highly problematic, undermine our privacy, and erode our trust. An example of those intrusive powers in the UK is the National Security Notices (NSNs) and Technical Capability Notices (TCNs).
These notices are served by the UK government to telecommunications operators, requiring them to do certain activities that enable interception and equipment interference (also known as hacking). In other words, the government can oblige companies to carry out surveillance on their behalf. This means that to comply, companies need to change how they deal with security, their internal policies, and their innovation practices. In addition, a company cannot tell anyone about a notice they have received and the UK government has a ‘neither confirm/nor deny policy’ for notices, which means we do not know whether and/or how often this power has been used!
For example, Section 252(3) IPA 2016 stipulates that an NSN may require an operator to facilitate “anything done by an intelligence service under any enactment other than” the IPA 2016 (such as the Intelligence Services Act 1994, which has been used to authorize non-investigative forms of equipment interference) or “to provide services or facilities for the purpose of assisting an intelligence service to carry out its functions more securely or more effectively.”
What does this look like? Under a TCN, for example, a telecommunications operator could be required to remove any relevant electronic protections or even to send false security updates to the devices of users. Nowadays, for example, several online platforms or apps we interact with use end-to-end encryption (E2EE), a security feature that prevents third parties (even the operators themselves) from accessing our data (our conversations or personal information). In that sense, E2EE is vital because provides a private space in which to express views, organise collective action, and form opinions, among other things, it also implicates the right to freedom of expression and opinion.
What happens when you realize that these security measures could be compromised through such a notice? The virtuous circle of trust is broken. Security innovations stop, companies cannot build these relationships with the users, and people cannot express themselves freely. These problems have broader and more profound effects on people in a situation of vulnerability and under constant surveillance, such as asylum seekers, migrants, or even journalists. But as this affects the security of the ecosystem, it impacts us all! And despite (civil society) raising the alarm regarding these powers, the UK governments suggested amendments that create even more risk to our privacy, security and ultimately our trust.
The UK government’s 5-objective plan to creating insecurity for everyone
As scary as everything sounds, this is not all. Now, the UK government wants to expand these powers to deprive notices of the (already few) safeguards they already have and to single-handedly decide the fate of every internet user across the globe. Below, we outline the 5 objectives the UK government announced in June and explain why we think this will have detrimental impacts for every one everywhere.
The first objective is to remove some of the safeguards that this already faulty system has. Under the current rules, companies will only need to comply with the notice, once it has been formally served by the government following the prior approval by an independent body (Judicial Commissioner). In other words, for these notices to be valid, an independent authority should authorize them, and the government must follow a specific process for this. However, the UK Government is aiming to impose a general requirement for telecommunication operators to comply with these notices while they are being reviewed, before they are approved and before they are formally served. So, telecommunication companies could, for instance, be forced to grant access to a bunch of data or stop fixing a specific bug during a reviewing process that could last forever and end without giving a formal notice.
The second objective aims to place an obligation on operators to cooperate during this so-called review period, by making them also share any technical (or other kinds of) information they have with the Home Office or the Judicial Commissioner. Keep in mind that we are not even dealing yet with formal notices; at this point, this is just a wish letter. Yet, the government is making operators treat them as some sort of formal notices and make them disclose information about their systems or products. So yes, this can be before independent authorization and without giving operators any possibility of refusing to cooperate. Remember that these operators usually deploy sophisticated technical processes to ensure the confidentiality and integrity of data that try to ensure our trust as users. Approval procedures are in place to ensure that our security is not broken by abusive requests. So, knowing that this security could be breached, will you talk or share freely?
Objective 3 is one of the main reasons why this should be everyone’s concern. While the current regime -quite problematically- applies outside the UK, the government wants to further expand the extraterritorial application of notices, by making sure it applies to all operators, independently of their corporate structures, and that it is subject to strong enforcement powers. From a legal perspective, this could be a massive disaster. As we know, many of these companies operate internationally, and they need to comply with different legal regimes that could be (and in a lot of places will be) in conflict with this. So yes, the UK government is going beyond its own borders and deciding what standard of privacy citizens should enjoy while using a specific service. At the same time, the UK would be putting by effectively dismantling online security for several groups at risk, such as human rights defenders, journalists and activists, who often operate in countries where secure communication channels might be the only way to avoid prosecution or even torture.
The fourth objective is no less problematic as it seeks to impose the vague obligation on operators to notify the government when introducing “relevant” changes. This could basically mean anything and can include technical changes related to security updates. Imagine the following scenario: You are using an app like Signal or WhatsApp to communicate with family and friends. One day, the company discovers a security vulnerability in their systems so, in order to fix it asap, they will need to push an important security update to the devices of all users who have these apps installed. Before doing that, under the proposed changes, they would first need to notify the UK government and get some sort of approval. If the government does not agree, then they could stop these apps from providing the update. As a result, the government could hold on to the vulnerability in case they want to exploit it in the future, while third parties might also discover it in the meantime and access your bank accounts or your health information. This not only goes against the government’s obligation to protect your privacy but it is also chilling and could have enormous consequences worldwide and on a massive scale. These vulnerabilities could also be used (and have been used) to compromise infrastructure operators in sectors such as health, energy, finance, and transport.
Finally, the fifth objective aims to introduce a new power for the Investigatory Powers Commissioner to renew notices already in place once a 2-year period has passed. This is good in theory. In practice, the problem is that it is not clear what the duration of these notices is to begin with. The 2-year renewal period might seems to suggest that they could go on for longer than this. While extra safeguards periodically reassessing the necessity of measures should be always welcomed, waiting for two years is an unreasonably long time. Technology changes quickly and having an intrusive practice like this for that amount of time could be dreadful for the market, innovation and individual users.
These are the five objectives summarising the UK government’s motivation to expand its already vast and intrusive surveillance powers. This is what the UK government envisages our online future to look like, a future in which surveillance powers are out of control and everyone is unsafe.
PI will keep fighting dangerous proposals like this. We have already responded to the government consultation outlining our legal and technical concerns. We will continue updating you and working on these issues to have a safer digital environment where everyone can exercise their fundamental rights.