UK Surveillance Law Requires Encryption Backdoors

As if the new Investigatory Powers Act – nicknamed the Snoopers’ Charter for its egregious mass surveillance of every UK resident – wasn’t scary enough, it has now emerged that the law requires ISPs, telecom providers, and other communications services to build backdoors into any new encryption services.

The latest wording of the law [PDF], given Royal Assent last week, reads:

Section 254: Technical capabilities notice

The obligations that may be specified in regulations under this section include, among other things […] obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data.

A previous draft of the IP Bill explained:

CSPs subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.

Effectively, what that means is that any “new products or services” must provide the UK government the ability – by a security backdoor (“technical capability”), if necessary – to access citizens’ online data. The presence of backdoors not only gives ‘legitimate’ services access to data, they are also ripe for exploitation by hackers. Thankfully, by the wording of the section, it seems that providers are exempted from having to build backdoors into existing systems, at least for now.

So, not only are we all being spied on, but it is set to become so much easier for hackers to spy on us, too. Great news.