One thing that all three of the Parliamentary committees that reviewed the Draft Investigatory Powers Bill agreed upon was that the bill needed more clarity over encryption.
This is the Intelligence and Security Committee report:
This is the Science and Technology Committee report:
This is the Joint Parliamentary Committee on the Investigatory Powers Bill:
In the new draft Bill, however, this clarity does not appear to have been provided – at least as far as most of the people who have been reading through it have been able to determine. There are three main possible interpretations of this:
- That the Home Office is deliberately trying to avoid providing clarity;
- That the Home Office has not really considered the requests for clarity seriously; or
- That the Home Office believes it has provided clarity
The first would be the most disturbing – particularly as one of the key elements of the Technical Capability Notices as set out both in the original draft bill and the new version is that the person upon whom the notice is served “may not disclose the existence or contents of the notice to any other person without the permission of the Secretary of State” (S218(8)). The combination of an unclear power and the requirement to keep it secret is a very dangerous.
The second possibility is almost as bad – because, as noted above, all three committees were crystal clear about how important this issue is. Indeed, their reports could be seen as models for the Home Office as to how to make language clear. Legal drafting is never quite as easy as it might be, but it can be clear and should be clear.
The third possibility – that they believe they have provided clarity is also pretty disastrous in the circumstances, particularly as the amount of time that appears to be being made available to scrutinise and amend the Bill appears likely to be limited. This is the interpretation that the Home Office ‘response to consultations’ suggests – but people who have examined the Bill so far have not, in general, found it to be clear at all. That includes both technological experts and legal experts. Interpretation of law is of course at times difficult – but that is precisely why effort must be put in to make it as clear as possible. At the moment whether a backdoor or equivalent could be demanded depends on whether it is ‘technically feasible’ or ‘practicable’ – terms open to interpretation – and on interdependent and somewhat impenetrable definitions of ‘telecommunications operator’, ‘telecommunications service’ and ‘telecommunications system’, which may or may not cover messaging apps, hardware such as iPhones and so forth. Is it clear? It doesn’t seem clear to me – but I am often wrong, and would love to be corrected on this.
This issue is critical for the technology industry. It needs to be sorted out quickly and simply. It should have been done already – which is why the first possibility, that the lack of clarity is deliberate, looms larger that it ordinarily would. If it is true, then why have the Home Office not followed the advice of all three committees on this issue?
If on the other hand this is simply misinterpretation, then some simple, direct redrafting could solve the problems. Time will tell.
Paul Bernal's Blog 
Reblogged this on sdbast.
IANAL but do spend far too much time reading UK legislation, although mainly SIs and DCOs, which seem to be deliberately written so as to be unintelligible.
As far as encryption is concerned the previous draft Bill at section 189 – 4c said this regarding obligations on a CSP:
(c) obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data;
And in the latest draft Bill this has now become section 217 where 4c now says:
(c) obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data;
So moving “by a relevant operator” and the addition of “by or on behalf of that operator” represents the sum total of the clarification that the Home Office have added in response to the 3 sets of recommendations regarding encryption.
I would suggest that this clearly fails to meet the standards required by those committees.
The draft also contains some truly opaque wording such as:
(6) Where obligations have been imposed on a relevant operator (“P”) under section 217 (maintenance of technical capability), for the purposes of subsection (4) the steps which it is reasonably practicable for P to take include every step which it would have been reasonably practicable for P to take if P had complied with all of those obligations.
This seems to me like the textual equivalent of a Mobius strip and adds little to the Bill other than to take up extra space – indeed the author is so enamoured of this polished prose that it is repeated no less than 4 times in different Sections of the Bill. One might almost imagine that the author was being paid by the word.
Thanks for the detailed work – and for the confirmation that I wasn’t misreading it. It really isn’t clear at all!
Published today – https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/505507/Encryption_Factsheet.pdf
Adds some clarity, but it would have been useful to have had more on the face of the Bill.
Thanks! Only adds a little clarity, so far as I can see – still leaves all the vagueness over practicability and technical feasibility, and fuzziness over ‘on and behalf of’. There are more problems too – I might write more over the weekend if I get the chance.