Tech Giants Vs The Government: The Standoff on UK Surveillance-bill proposals
The Investigatory Powers Act 2016
The Investigatory Power Act (IPA) came into law in 2016, replacing the 2014 Data Retention and Investigatory Powers Act (DRIPA). The act was labeled “The Snooper’s Charter” by critics who were and remain seriously concerned about the intrusive, wide-ranging surveillance powers introduced by the government and how these impact our liberty and autonomy.
The new measures introduced in the 2016 Investigatory Powers Act enabled security agencies and Police to intercept suspicious communications and the Home Office to compel communication providers to remove encryption from communications or data. Encryption prevents messages from being accessed by third parties and is offered by popular messaging apps like WhatsApp and Signal.
Many argue that encryption protects users from surveillance or theft and reduces the risk of exposure to fraud, but there is also significant concern within government and national security agencies regarding the role of encryption as a catalyst for serious criminality.
The decade following Snowden’s whistleblowing revelations
Considering the revelations made by Edward Snowden in 2013 regarding GHCQ (British Intelligence Agency), which exposed their use of fibre-optic cables to access private emails, phone data, and internet search histories – many might have expected surveillance powers to be cut back in the following decade. Snowden’s revelations were met with public outrage, especially as it became apparent that the government had used the “war on terror” as an excuse to erode our autonomy and liberty.
However, this expected “cut-back” on surveillance powers has not been effectuated and the government has instead continued its attempts to increase state surveillance, mainly through amendments and additions to the Investigatory Powers Act 2016 itself. The governmental advocacy for these proposed additional clauses to the Investigatory Powers Act is underpinned by arguments for keeping the law “relevant” as technology develops and “protecting the public from criminals, child sex abusers and terrorists”. This is further exemplified by the Online Safety Bill which is currently being debated in Parliament but is expected to pass into UK Law imminently. This bill will require companies to install technology to scan for child sex exploitation and abuse (CSEA) material and terrorism content in encrypted messaging apps and other services. The bill does not explicitly call for the removal of end-to-end encryption but constitutes a serious weakening of this service as companies would be required to scan all messages and flag those relevant to areas of concern such as child abuse.
Apple and WhatsApp’s resistance
In 2023, discussions around these proposed changes have culminated in a stand-off between the government and some of the world’s biggest Tech Companies such as Apple and WhatsApp.
In July 2023 it was revealed that the government is once again seeking to update the Investigatory Powers Act 2016. Part of the proposed updates included in the Online Safety bill and would require messaging services to clear security features with the Home Office before releasing them to customers. The Investigatory Powers Act 2016 already enables the Home Office to demand disabling of security features without informing the public, but the proposed update would make this process immediate, removing the current review and independent oversight process to which any demand by the Home Office to disable security measures, would currently be subjected to by law.
There is a degree of secrecy surrounding these demands by the Home Office to disable security features, and not much is known regarding the number of individual requests issued to date and whether they have been complied with by the Tech platforms, many of which offer end-to-end encryption, which renders messages un-accessible by those outside of the digital conversation.
Threats to remove messaging services
However, Apple has now indicated it will remove services such as FaceTime and iMessage from the UK rather than weaken security if the new proposals are legislated. WhatsApp and Signal are also among the platforms opposing clauses in the Online Safety Bill which would require them to install and use technology to scan all encrypted messages.
The government has opened an eight-week consultation on the proposed amendments to the Investigatory Powers Act, which already enables the storage of Internet browsing records for 12 months and authorizes the bulk collection of personal data. The government has emphasized the proposed updates are "not about the creation of new powers" but making the act more relevant to current technology.
Apple, in particular, have outlined their key concerns in a nine-page long submission outlining their position, opposing the requirements to:
- Inform the Home Office of any changes to product security features before they are released,
- for UK-based companies to comply with changes that would affect products globally, such as providing a backdoor to end-to-end encryption.
- take immediate action if a notice to disable or block a security feature is received by the Home Office.
In addition, Apple has emphasized they do not intend to make changes to security features specifically for one country that would weaken a product for all users, but also that some changes would require software updates so they couldn’t be made secretly, and lastly that the proposals "constitute a serious and direct threat to data security and information privacy" that would affect people outside the UK. The Tech giant also noted the proposed increased powers would give the UK an “authority that no other country has” and would stifle innovation.
The conundrum at hand
Experts believe the tech firms are “not bluffing” by threatening to withdraw services from the UK in light of the government’s stance on encryption. However, the government has previously demonstrated its determination to increase Investigatory Powers even when faced with rulings from the European Court of Justice, whereby in 2016 it was ruled that EU member states couldn’t force internet companies to keep email data on a "general and indiscriminate" basis.
We are therefore faced with a significant stand-off, between tech companies and the UK Government, with the potential for extremely impactful outcomes for the future of Online Safety and surveillance.
This standoff constitutes a significant conundrum because concerns around child online safety are legitimate and exemplified by cases such as the death of 14-year old Molly Russell who committed suicide after viewing extensive amounts of online content related to suicide, depression, self-harm, and anxiety.
This case in particular was a driving force for the new Online Safety bill, as well as the ever-pertinent threat of child domestic and sexual abuse, which is exacerbated by technological advancements. However, an equally real danger is the potential for the surveillance measures which are being pushed as anti-child abuse initiatives, to be used for ulterior motives such as wide-ranging surveillance targeted at entire populations or demographics. The IPA for example allows for “bulk hacking” including the use of emails or messages to install spyware that remotely accesses the entire contents of electronic devices. To be contextually specific, such powers can pose a danger to the free press by compromising relations between journalists and their sources, but also other in other fields such as private discussions between lawyers and their clients, which would seriously undermine clients' confidentiality privileges and in turn undermine the entire Justice System. The potential for overly intrusive investigatory practice exacerbated by the Investigatory Powers Act and Online Safety Bill, is varied and far-reaching and likely to impact some of our most pivotal societal rights such as protesting and campaigning for what we believe in.
It is therefore imperative that independent scrutiny and review processes are maintained in relation to the induction, amendment, and disabling of Tech platforms’ security measures when requested by the Home Office. It is equally important that the security and safety concerns about child abuse being facilitated online, are addressed and acted upon efficiently. However, concerns about the latter should never be used as an excuse to impose on the liberty and autonomy of individual law-abiding members of society. The Tech company's concerns are legitimate and the government should seriously consider its position on the matter, as this constitutes a pivotal moment for the protection of individual privacy and liberties as well as the future of surveillance.