Why the IP Bill Threatens the UK Tech Industry
By Brian Spector, CEO, MIRACL
Last week was a turning point in the history of UK government surveillance. If it proceeds into statute, the Snooper’s Charter could have huge ramifications for our collective privacy. It has the potential to undermine trust in the Internet as a whole, from service providers, to device manufacturers, to the apps we use as part of our everyday lives. But it also has serious implications for tech companies who, under the proposals, would be legally bound to help UK police and security services access an individual’s device. Looking beyond the privacy arguments, this could also make it much harder for British technology and information security companies to compete globally. This is because the current wording of the bill means that any software made by a British company could soon be perceived to be facilitating government spying on its customer’s data.
Despite several revisions, the current wording of the IP Bill suggests that it would force tech companies to create backdoors that allow government agencies to access data, or force tech companies to decrypt any potentially sensitive data as deemed necessary by government agencies. The Home Office has a chequered past when it comes to exploiting loosely worded legislation. For example, and from personal experience, it can deem any service that connects to the Internet as a CSP, a Communications Service Provider. Since all services and software connects to the Internet these days, this classification can be extended to any business that offers connected services or software. Once classified as a CSP, the Home Office can mandate, through the technical assistance clauses in the legislation, a re-write of that business’ software to include backdoors. While this currently requires judicial approval, the burden of proof is still on the business to prove that any modification of its software would be an undue burden. The government’s unwillingness to categorically deny that it will seek backdoors creates an environment where all software and software-as-a-service offerings released by British companies will have the overhang of suspicion that they could have backdoors created to snoop on customers’ data. This will have major negative consequences for the British software industry as a whole, because any products or services released by a British company will be viewed as untrusted and insecure.
While the UK may be following a path laid out by the USA, not all governments choose to adopt such surveillance strategies. The Dutch government has said publicly that it will not force tech firms to share encrypted communications such as emails with its security agencies. In a letter to the Dutch parliament, the head of the Ministry of Security and Justice, Ard van der Steur, explained the government’s reasons for endorsing strong encryption, which sound quite similar to those cited by Apple’s CEO, Tim Cook. [1] According to a translation of the letter, van der Steur points to the uses of encryption for protecting the privacy of citizens, securing confidential communications by government and businesses, and ensuring the security of internet commerce and banking against cybercrime.
British technology and information security companies are already being courted by the Dutch, Swiss and Luxembourg governments as places to re-domicile their businesses to ensure operational continuity because of their declarative statements on encryption. Many British businesses will respond to this call in order to lose the overhang of offering insecure products in a globally competitive environment.
Without an explicit ‘No backdoors’ statement written into the legislation, this bill will harm British industry by making it more difficult for British business to compete globally. It will also harm the security of its citizens, and create the kind of “business vs. government” mentality that will make us all less safe. The problem is that the IP bill wouldn’t just make it easier for the government to spy on UK citizens; it would also weaken the very products and standards that we all use to protect ourselves. The government believes that it can manipulate security in such a way that only they can take advantage of that subversion. But this is simply untrue. If we insert vulnerabilities, we weaken security for everyone. The same vulnerabilities used by intelligence agencies to spy on global citizens can also be used by criminals to steal your passwords. We either enable spying – by either governments or hackers – or we defend against it.
For the Internet to continue to grow and flourish, we need to re-establish the foundation for trust. To do this, users need to believe that the systems they use online are not part of a government program to spy and snoop on its citizens. We all own the Internet, and we need to fix it together.
[1] https://blog.cyberwar.nl/2016/01/full-translation-of-the-dutch-governments-statement-on-encryption/