THE BLOG

When Online Security Conflicts With Online Scrutiny, Is Security the Loser?

21/07/2015 09:10 BST | Updated 20/07/2016 10:59 BST

One comedian observed about the failed 2012 Communications Data Bill, "Communications data can show I called the STI clinic for ten minutes, my wife for twenty minutes and a divorce lawyer for an hour and a half. What a good job no-one can find out what we talked about!"

It is evident to Clarke Willmott that communications data is very much back on the agenda, with Teresa May announcing further proposals requiring communications services providers (CSPs) to obtain and store data about messages (including VOIP calls) passing over their services and make it available to security and law enforcement services. Draft legislation is expected in the Autumn, with the new law coming into force by 31 December 2016 at the latest. However, the position has been complicated by the recent High Court decision to invalidate s.1 of the Data Retention and Investigatory Powers Act (DRIPA) for allowing access to retained communications data for too broad a range of purposes and without prior judicial oversight.

Communications data includes data about who people communicate with, how and when they do so, how long conversations last. However, the new proposals are likely to go further than previous attempts, by requiring compilation and retention of web-logs and browser histories and, crucially, by forcing decryption of encrypted communications.

This last point has sparked a massive row. Encryption is on the up, especially since users regularly incur big fines from the Information Commissioner for failure to encrypt sensitive personal data. In January 2014 the Government even introduced "Cyber Streetwise": a campaign to encourage businesses and individuals to adopt encryption for protection against hackers and cybercriminals. Since the last proposal for legislation in this field, there has been a revolution in the adoption by users of strong encryption, Virtual Private Networks (VPNs) and services such as iMessage and WhatsApp.

However, when online security conflicts with online scrutiny, it looks as if security is the loser.

The power to demand decryption keys was introduced in 2007 and has been sparingly used, with only 76 uses in 2013-14 and two convictions for non-compliance. However, the power is made much less effective by strong user-controlled encryption or end-to-end encryption of messages.

The original Communications Data Bill collapsed in 2012 when the Liberal Democrats withdrew their support amid heightened public alarm provoked by Edward Snowden's disclosures. Among the most explosive material in Snowden's dossier was his allegation that the US National Security Agency and the UK's GCHQ had been actively involved in inserting "back door" vulnerabilities into commercial encryption systems.

This time round the attack on encryption is through the front door. In response to a Parliamentary Question earlier this month, David Cameron said, "The question we must ask ourselves is whether, as technology develops, we are content to leave a safe space -- a new means of communication -- for terrorists to communicate with each other. My answer is no, we should not be, which means that we must look at all the new media being produced and ensure that, in every case, we are able, in extremis and on the signature of a warrant, to get to the bottom of what is going on."

On the face of it he seemed to be calling for a ban on end-to-end encrypted messaging services such as WhatsApp and iMessage, putting the Government on a collision course both with users and with tech giants like Google and Facebook.

Though there has been a flurry of backtracking from Downing Street since that statement, it is by no means clear what the Government is actually proposing. It may well be that they are unclear themselves; as the joke above shows, in 2012 politicians from all parties displayed remarkable technical ignorance about what was implied by collecting "communications data" but not "content data".

The Government is unlikely to back down from its insistence that new powers are needed. However, David Anderson QC, the Independent Reviewer of Terrorism Legislation, emphasised in his report to Parliament last month that "the road to a better system must be paved with trust" (paragraph 13.3) and advised the adoption of five core principles of minimising no-go areas, limited powers, rights compliance, clarity and a unified approach.

Governments (of all political stripes) have a terrible track record on IT issues. Partly this is driven by not understanding what technology users need and want. Access to strong encryption is an essential plank in the digital economy as well as being fundamental to civil liberties. This Government came to power on promises of reducing the regulatory burdens on business and encouraging growth. Even an objective as important as national security needs balance and proportion. There are worrying signs the current proposals, like the failed ones of 2012, are missing both.