The U.K. Parliament this week passed a sweeping new surveillance law called the Investigatory Powers Act, which, among other things, opens the door for law enforcement agencies to collect bulk phone records and browsing data. It also allows the government to create clearinghouses of searchable personal data gathered from multiple sources.
The law’s passage caught many in the U.K. off guard—in part because so many lawmakers and residents there are still reeling from the country’s surprise vote to exit the European Union earlier this year. At the same time, the bill was high on the agenda of the ruling conservative party, so it’s no surprise that there was plenty of energy put into passing it.
But opposition parties, one expert told me, were distracted enough by Brexit to fail in putting together a strategic political effort to stop the IPA’s passage. Now it’s too late.
I wrote earlier this week about how the new law might affect U.S. companies like Apple doing business in the U.K. But the larger question is how elements of the law might be exported to other countries around the world, including the U.S., thereby weakening the ability of companies to protect their users’ privacy.
“The reason why this is especially disturbing is that other countries could be influenced by it,” says the Electronic Frontier Foundation’s international director, Danny O’Brien. “It’s a menu, a manifest, for other international law enforcement and national security agencies to imitate.”
For instance, the IPA could be used to require tech companies that do business in the U.K. to intentionally weaken the security of their hardware and software products so that law enforcement agencies, at least with a warrant, could easily gain access to them to recover evidence.
The U.K. bill passed less than a month after a U.S. election that resulted in a Republican-controlled House and Senate, and a Republican president. And not just any Republican president, but Donald Trump, who is decidedly on the side of law enforcement in the debate over encryption backdoors.
“This is a president who, as a candidate, came out specifically against Apple on that issue,” O’Brien said. Trump also talked hawkishly on foreign policy throughout the campaign. “We expect [the IPA] could be very influential with a new president that sees national security as a major priority,” O’Brien said.
But while the U.K.’s new law might change the climate around surveillance—at least somewhat—lawmakers in the U.S. remain divided on encryption. Many lawmakers acknowledge they have much more to learn about the implications of backdoors before voting for a law that requires tech companies to build them.
Today, as it happens, is the first anniversary of the San Bernardino shootings, in which terrorists Syed Farook and his wife, Tashfeen Malik, shot up a county facility, killing 14 and injuring 22. The FBI tried to force Apple in court to provide a hack to unlock the contents of the iPhone 5s used by Farook, which they thought might contain evidence. Apple refused, arguing that weakening the security on one iPhone 5s would weaken the security of all iPhone 5s’s. So began a months-long legal and rhetorical battle. Apple won out, but many in law enforcement remain steadfast—including FBI director James Comey—that decryption backdoors are essential to criminal and national security investigations.
Several bills were introduced during the current 114th Congress requiring tech companies to provide decryption backdoors. The best known of them, the Compliance with Orders Act of 2016, was introduced earlier this year by senators Richard Burr and Dianne Feinstein, the Republican chair and Democratic ranking member, respectively, of the Senate Intelligence Committee.
The Burr-Feinstein encryption bill required tech companies (and, potentially, any company) to provide encryption backdoors to their products in case law enforcement needed entry during an investigation. But the legislation met with opposition from the start. Senator Ron Wyden (D-Oregon) promised to filibuster if the bill came to the Senate floor. The Burr-Feinstein encryption bill eventually died in committee, and by May was considered dead.
Burr and Feinstein were a pair of powerful senators from opposite parties who shared similar views on encryption. But that dynamic duo won’t exist much longer.
Going into the 115th Congress next year, Feinstein will become the ranking member of the Senate Judiciary Committee and will be replaced as ranking member of the Senate Intelligence Committee by Senator Mark Warner (D-Virginia), who has been outspoken in his resistance to encryption backdoors. Warner and Texas Senator Michael McCaul earlier this year pushed forward a new committee to study encryption and other cybersecurity matters.
“I believe that we can strike an appropriate balance that protects Americans’ privacy, American security, and American competitiveness, but we won’t achieve that while all sides continue to talk past each other,” Warner said in a release. “What we don’t want is a solution that could simply drive terrorists to use software and hardware based overseas, pushing their communications even farther out of reach for American law enforcement and intelligence.”
Both Rep. Zoe Lofgren (D-Calif.) and Wyden told me last spring that many members of Congress see no way to establish the “appropriate balance” that Warner mentions, and that attitude still exists in Washington today. Many believe no such middle ground can exist to satisfy both the data security needs of tech companies and consumers, and the need of government agencies to access that data with a court order. Lofgren put it this way: “It’s either a one or a zero; you either have strong encryption or you don’t.”
Prominent Republicans like Lindsey Graham (R-South Carolina) and Mike Lee (R-Utah) have also voiced their opposition to a law requiring encryption backdoors for law enforcement.
Even the head of the NSA doesn’t sound too sure about the implications of requiring encryption backdoors. Testifying before the Armed Services Committee in September, NSA and U.S. Cyber Command chief Adm. Mike Rogers was more circumspect on the subject than you might expect from the nation’s top spy.
“The challenge becomes, given the premise that encryption is foundational to the future, what’s the best way for us to ensure the protection of information, the privacy and civil liberties of our citizens and the production of the foreign intelligence necessary to ensure their protection and safety?” Rogers asked in his written testimony. “All three are incredibly important to us as a nation.”
In short, the climate likely won’t be right for a security-hampering bill next year, despite the harsh words of Donald Trump and the passage of an equally harsh bill across the pond.