Leaked Regulation Shows UK Gov Will Force Telcos to Decrypt Comms for Real-Time Surveillance

Activists at the Open Rights Group have received a leaked copy of a draft UK government regulation which will enable the ‘live’ surveillance of British web users’ internet communications. If it becomes law, telcos will be asked to provide “data in near real time” and will also be expected to remove the encryption applied to any secure web chat or messaging service.

The draft regulation is being circulated as part of a ‘targeted consultation’ involving a small selection of organizations listed in the Investigatory Powers Act 2016. The UK’s Home Secretary, Amber Rudd, is not required to consult the public about this regulation. In response to the leak of the draft regulation, the Home Office reportedly denied there was anything new in the consultation.

The consultation is scheduled to last just four weeks, and will conclude on 19th May. Responses to the consultation should be sent to: investigatorypowers@homeoffice.gsi.gov.uk.

Jim Killock, Executive Director of the Open Rights Group, said:

These powers could be directed at companies like WhatsApp to limit their encryption. The regulations would make the demands that Amber Rudd made to attack end-to-end encryption a reality. But if the powers are exercised, this will be done in secret.

The public has a right to know about government powers that could put their privacy and security at risk. There needs to be transparency about how such measures are judged to be reasonable, the risks that are imposed on users and companies, and how companies can challenge government demands that are unreasonable.

Warrants will be issued to telcos, specifying who is to be spied upon. The leaked document reveals that telcos who serve more than 10,000 users will be expected to:

  • “Provide and maintain the capability to carry out the interception of communications or the obtaining of secondary data and disclose anything obtained under the warrant to the person to whom the warrant was addressed, or any person acting on that person’s behalf, within one working day…”
  • “Provide and maintain the capability to ensure the interception, in their entirety, of all communications and the obtaining, in their entirety, of all secondary data authorised or required by the warrant”
  • “Provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection”

In terms of capacity, telcos will have to be capable of spying on at least 1 user per every 10,000 users they serve. At least that means there will be limits on the scale of interception, though the provision is probably motivated by the desire to avoid an unseemly public battle with privately-owned businesses unwilling to bear higher costs on behalf of the state.

Telcos will also be expected to notify the Home Secretary about the change and development of communications systems and services, so the government can ensure these will not effectively degrade their surveillance powers. However, the regulation says nothing about the right of telcos to challenge warrants that appear to be illegal or abusive. The need for comms providers to be able to push back against government overreach was made clear when ISPs in the USA spent years challenging the constitutionality of legal orders that they were prevented from talking about publicly. If the public has no knowledge of the way surveillance is being used, then only comms businesses will be in a position to curb the misuse of surveillance powers.

You have to wonder about the timing of this process. Widespread surveillance elicits strong feelings, so it would always be likely that somebody would make this ‘secret’ consultation a matter of public knowledge. However, this consultation is taking place during a period when it is least likely to receive serious scrutiny or adverse publicity. The UK Parliament has dissolved and all media attention is focused on a general election campaign where the existing government expects to be returned to power. As such, it is even less likely that the implications of these new surveillance powers will become evident to the public until after they have been imposed in practice. They may never become evident… until they are abused to such an extent that the abuse is obvious.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.