UK's Encryption Demands: A Threat to Global Security and Privacy

The UK's Investigatory Powers Act (IPA) 2016 has been a subject of debate since its inception, with concerns raised about its potential impact on global user security and privacy. The act includes powers that interfere with providers' ability to offer strong encryption in their products, which could harm the security of users not just in the UK, but around the world. Additionally, the act sets a low bar for the use of bulk personal datasets, with the concept of "low to no expectation of privacy" remaining unsafe, especially in a rapidly-evolving technical environment characterized by machine learning and "large language models."

The notices regime under the IPA is of particular concern, with two powers raising significant issues. First, the obligation for providers to notify the Secretary of State before making technical and other relevant changes to their products could potentially allow the Secretary of State to veto the addition of encryption to a previously unencrypted communications system. For instance, had this power been in place in 2022, it could have been used to prevent Meta from improving the security of Facebook Messenger by adding end-to-end encryption to it.

Second, the requirement for providers to refrain from making any technical changes to their services pending the review of an appeal against a notice issued under the IPA creates a loophole that allows the Secretary of State to force the provider to maintain the status quo. This could prevent the addition of encryption to a previously unencrypted communications system, which is counter to the UK's cybersecurity interests.

The use of bulk personal datasets (BPDs) also raises concerns, as the measures set out in Annex A of the IPA do not address the questions raised by then-MP Joanna Cherry KC. The concept of a BPD in which there is "low to no expectation of privacy" remains highly questionable, especially given Factor (e), which relies on the dataset having been widely used by industry. This is a dangerously low bar, at a time when so much personal data is being scraped by commercial third parties without the individual's knowledge or consent and used to train machine-learning or AI models.

To address these issues, the Internet Society and the Internet Society UK (England Chapter) have submitted a joint response with several recommendations. These include amending the notices regime so that the Secretary of State does not have a de facto right to veto the addition of security or confidentiality functionality to communications systems that do not already have it, and specifying a time limit within which the Secretary of State must complete processing of a provider's appeal against a notice. Additionally, they urge the government to urgently revisit the concept of "low to no expectation of privacy" in the context of rapid evolution of AI/ML systems and the "scraping" of training data, and apply further safeguards via the Codes of Practice accordingly.

In conclusion, the UK's Investigatory Powers Act 2016, as it stands, poses significant threats to global user security and privacy. The government must address the concerns raised by civil society organizations and experts to ensure that the act strikes a better balance between national security and commercial innovation, while also protecting the privacy and security of users worldwide.