Why force the introduction of backdoors to encryption technology?

02 December 2015

Author: Sachiko Muto

The UK is currently reviewing its legal framework governing the use and oversight of investigatory powers by law enforcement and intelligence agencies (see the proposed text of the draft Bill here). The text of this proposed new legislation is meant to update the Regulation of Investigatory Powers Act (RIPA) which dates back all the way to 2000 (see here), so it would seem relatively sensible for a new framework, adapted to today’s new technologies and new forms of threats, to be put in place.

Encryption technologies have become an essential part of the modern Internet, and making those tools less accessible to citizens generally isn’t likely to help improve their security

The draft Bill acknowledges the existence of legitimate privacy concerns around governmental oversight of personal data. In fact, some of the proposed measures would significantly improve the current situation in this regard. For instance, the proposed legislation would introduce a new “double-lock” system to control interception warrants, so that, following authorisation from the Secretary of State, they cannot come into force until they have been approved by a judge.

But the draft Bill would also introduce new obligations for communication service providers, including an article that would require them to compromise their systems by introducing backdoors into the encryption software that they use; the draft Bill was published early in November in a document commencing with an introductory “Guide to Powers and Safeguards” chapter, which would not form part of the proposed new legislation, but which is intended to be descriptive of the intended effect of the proposals, in terms of powers and safeguards; in that chapter, one can find the following:

“62. b. RIPA requires CSPs to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.”

This is a dangerous idea and would set a bad precedent – not to mention that it would be of little practical use. As we’ve explained in our recent submission to the current UK House of Commons inquiry into the draft Bill, introducing such backdoors would generate a very real risk of making communications less secure for the general public, whereas criminals will always find access to reliable encryption tools.

It’s not just the UK, either – other European countries have been considering similar laws; and at the EU level, just last week the European Parliament adopted a resolution on the prevention of radicalisation and recruitment of European citizens by terrorist organisations. Again, we find in this resolution the misconception that encryption technologies are somehow responsible for facilitating criminal activities and that something should be done to limit or weaken their use :

“23.  Raises serious concerns over the increasing use of encryption technologies by terrorist organisations that make their communications and their radicalisation propaganda impossible for law enforcement to detect and read, even with a court order; calls on the Commission to urgently address these concerns in its dialogue with internet and IT companies;”

Encryption technologies have become an essential part of the modern Internet, and making those tools less accessible to citizens generally isn’t likely to help improve their security – indeed, it may have the opposite and unintended consequence of increasing the risk of their falling prey to online fraudsters and other criminal elements.


Picture under CC BY 2.0 Yuri Samoilov