I spoke with The Stack about the Investigatory Powers Amendment Act, which has passed its third reading and is awaiting royal assent.
I’ve been doing a lot of work on this Act, fighting the good fights with the good people. I think my days of writing very long (and stressful) explainer posts are pretty much done, energy-wise, but I will give you a bit of extra content with this one.
You’re probably aware that when you speak with journalists, you might talk for twenty minutes to get a thirty second soundbyte, or write a long email to get two or three quotes. And that’s fine – the goal is to get the journalist to the point where they understand the issue at hand and can also view it critically.
As this journalist clearly knew her stuff, I’m going to paste our full chat into this post, so that you can get some deeper insight beyond what made it into the article.
Q. How will the changes in legislation expand the UK’s surveillance powers?
While the IPAA was designed as a somewhat necessary review and update of the Investigatory Powers Act, the flash point was Clause 21, which creates a new notices regime. As it is intended to work, the Home Secretary will be able to request that a company desist from rolling out privacy or security updates which could be seen to impede the ability of the security services to engage in either bulk or targeted data collection. These powers are widely understood to refer to end-to-end encryption and, as with all tech legislation in the UK, myopically focused around Meta. But as always, in targeting one thing in one company, the UK has effectively legislated over the entire open internet – which they rather arrogantly see as a good thing.
As with the existing technical notices regime in the IPA, companies issued a notice will not be able to disclose to anyone, not even within the company, that they have been issued a notice, as a matter of state security.
What is equally controversial is that the new notices regime is intended to be extraterritorial, applicable to any company in the world whose services can merely be accessed in the UK. As Apple has correctly noted, this means the UK “seeks a power that no other country has claimed-to prohibit a company from releasing a security feature unless the [UK Government] receives advance notice”, and therefore “effectively empower[s] the SoS to act as the global regulator for every technology company with a single affiliate (whether located in the United Kingdom or not) that provides telecommunications services in the United Kingdom.”
Q. How will the changes make security worse?
With the UK effectively appointing itself the global regulator of privacy and security updates, there are two risks that could arise quickly if the Act is badly applied. One is that companies will be expected to roll out “UK-specific” versions of their products and services, which are inherently less stable and secure, just for the UK market, which is – what, just under 70 million people?
Of course companies are not going to do that, so the more likely outcome is that tech companies simply stop bothering offering their products and services to a country copying notions from authoritarian juntas rather than parliamentary democracies.
But even if those scenarios do not arise, compromised privacy and security for one is compromised privacy and security for all. Think of what’s happening in occupied areas of Ukraine, where Russia has literally taken over the internet and is intercepting and surveilling all civilian communications – and engaging in arrests and deportations of Ukrianian children with the information they acquire. Private and secure communications are the only way to keep people safe and alive. A messaging app which compromises its security, just to keep London happy, has put that compromise into the system and into the wild for any other authoritarian-minded nation to copy.
Indeed, the IPAA debate was an incredibly rare instance of civil society – even digital rights groups – and the tech sector being in total agreement with each other. When groups that are normally at each others’ throats are saying the same thing, you’d better listen.
3) Why, in your understanding, were so few parliamentarians opposed to the amendments?
Politicians are never known for their technical savvy, and on top of that, the current crop has just spent five years in the Online Safety Act debate, which was very much framed as “internet bad, tech evil, won’t somebody think of the children, Britannia rules the internet.” Even so, it should never be forgotten that they have seen two of their own murdered by terrorists in recent years. That would harden your views too. So Parliamentarians are open to any suggestion which they believe will help keep people safe and, maybe as a bonus, stick one to Silicon Valley. When that happens, the technical and human practicalities of what they are actually legislating for are usually lost to them. In this case, by trying to do the right thing, they have voted for an Act which, if badly applied, could make the UK a global outlier, a risk to human rights anywhere, and a bad place to do business.