Since the well-documented FBI–Apple encryption dispute made global headlines, there has been on-going debate as to whether governments should ever be granted special access to encrypted data. In the UK, the debate intensified following the announcement that the Investigatory Powers Bill (IPB) had been approved by the terror laws watchdog.
The somewhat controversial act grants agencies the right to monitor online activities of citizens, and is supported by examples of instances when the monitoring of email, phone and internet behaviour has had a real impact in saving lives. So in essence, if the UK government sees fit, it will be well within its right to force companies to decrypt encrypted data and grant government access to the information or communications within.
The debate on the subject, which took place at the House of Lords in June, saw strong arguments put forward both for and against the IPB, but ultimately led to a vote of 444 to 69 in favour of the Bill. While it can’t be denied that the intentions behind the Bill are certainly commendable and sound reasonable in theory, fundamental problems remain.
Firstly, the Bill would require a certain level of public confidence that the government would respect the accountability controls put in place to ensure this level of access is used appropriately. By allowing data to be decrypted in special circumstances as dictated by the government, the essence of the technology is compromised. As it stands, the scope of the Bill is still vague and can be interpreted to cover any business that operates a public or private network, meaning that all online businesses, including networks such as those of Facebook and Twitter, will be left open to the possibility of the government requesting access to encrypted communication.
Before moving forward, it’s important to remember that encryption is one of the most effective ways to secure data – especially when combined with access controls and data access monitoring. ‘Back door’ access will, by its very nature, compromise some of this security, particularly if it ever falls into the wrong hands or is abused, in this instance potentially putting some of the UK’s largest organisations at risk from compromise.