Investigatory Powers Act: Encryption

[I've updated this 2015 post to refer to the section numbers in the Investigatory Powers Act 2016. As far as I can see, the powers contained in the Act are the same as those proposed in the draft Bill]

Over past months there has been various speculation that the Investigatory Powers Bill [now the Investigatory Powers Act 2016] would try to ban the use of strong encryption. Now the proposed text has been published [and still under the Act as passed], it doesn't seem to go quite that far. It won't be illegal either to use strong encryption or to provide it.

However clause 189 of the draft Bill [section 253 of the Act] does create a power for the Secretary of State to order any provider of telecommunications services or public postal services (including those outside the UK – clause 190(5) [section 253(8)]) to implement "technical capabilities". The limits on such orders are contained in clause 189(3), which requires that it must be practicable for the operator to comply with the requirement [section 253(4)] and that by doing so they will "provide assistance" [section 253(1)(a)] to those authorised to conduct interceptions (Parts 2 and 6), obtain communications data (Parts 3 and 6) or interfere with equipment (Part 5). Clause 189(7) [section 253(1)(a)] seems to imply that a "technical capability order" could be made before any specific requirement to intercept etc. had been identified or authorised.

Clause 189(4) [section 253(5)] gives some examples of areas where a technical capability might be ordered, including c189(4)(c):

obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data

[In the Act, the example in s.253(5)(c) is slightly modified:

obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data.]

So it seems that the possibility of ordering a telecommunications provider to remove encryption is in the Government's mind. It's easy to imagine circumstances where a decryption capability would assist with interception or data collection, so the only restriction seems to be whether it is practicable for the communications provider to do it. That may not be possible, even where the provider has itself applied the encryption. Many modern algorithms are "one-way": I encrypt, you decrypt. Most people who regularly use encrypted e-mail will have had the experience of forgetting to "encrypt-to-self" and having to ask the recipient to send a copy back again!

The process for issuing a technical capability notice gives the provider opportunities to raise these issues, both before and after issue. Clause 191 [section 257 of the Act] allows an issued notice to be referred back for review, at which point the Secretary of State must consult with both the Investigatory Powers Commissioner [now replaced by a Judicial Commissioner] and the Technical Advisory Board. Things to be taken into account include the technical feasibility, cost and other impacts on the provider (clause 190(3) [section 255(3) & (4)]). So it seems unlikely that a notice that was actually impossible to comply with would be imposed. However if you are using, providing or recommending any encryption system where a layperson might imagine you could decrypt messages (and I suspect that means pretty much anything involving asymmetric keys) then it would be a good idea to document who actually can and cannot do so.