The Right to Encryption? An Examination of Cryptography Law and Jurisprudence in the UK
Samuel Elliott
Introduction
Kahn, recounting the history of ‘secret writing’, notes that the ‘multiple human needs and desires that demand privacy … must inevitably lead to cryptology’.[1] Whilst the first formal study and application of cryptography can be credited to Arabic mathematicians,[2] advancements in the 20th century saw the widespread application of machine-based encryption in both governmental and civilian life.[3]
The debate on encryption rights forms ‘one of the defining issues of our culture in the 21st century’.[4] McNulty argues that the development of accessible and affordable means of encryption have enabled the public to quickly and securely share private information. Cryptography serves as the backbone for technologies spanning digital security, e-commerce, and communications fields.[5] It allows for the protection of sensitive information but also enables users to digitally sign and verify messages. Denning argues that – despite significant debate on the merits of ‘unbreakable’ encryption – ‘practically everyone agrees that cryptography is an essential information security tool’ that should be readily available.[6]
Cheap and accessible encryption nonetheless presents an obstacle to law enforcement. The interception of communications can be rendered virtually impossible, putting them beyond the remit of a criminal investigation. Similarly, encrypted data may be seized, but without the appropriate means of decryption, it is rendered practically useless. Denning argues that an absolute right to secrecy in the form of cryptography could have devastating consequences for ‘public safety and social and economic stability’.[7]
At the time of writing, the UK has announced its intention to leave the EU in accordance with Article 50 TFEU. Assuming the UK leaves on 12 April 2019 – as it is currently expected to at time of publication – it will fall outside the scope of the Commission’s proposed encryption regime. Furthermore, Prime Minister May allegedly plans to withdraw from the ECHR following Brexit.[8]
Given the potential for significant regulatory and legal divergence, it is useful to examine encryption rights within the UK. Cameron’s encryption ban proposal in 2015 strongly contrasts with the EU and ECHR approach towards individual encryption rights.[9] The publication of the Report of Investigatory Powers Review by Anderson in June recognized the significant security flaws for manufacturers in creating backdoors for Government use.[10] However, the report did not suggest any reform regarding key disclosure at the individual level, as exist under RIPA.
Regulation of Investigatory Powers Act 2000
Mandatory key disclosure laws have been in place in the UK since the enactment of Part III of the Regulation of Investigatory Powers Act in 2007.
Section 49(3) of RIPA sets out the circumstances wherein disclosure may be compelled. Disclosure may be required in the interest of national security, for preventing or detecting crime, or for the economic well-being of the United Kingdom.[11]
Key disclosure applies when encrypted data is seized or otherwise lawfully obtained. If the seizing body believes that a key to the protected information is possessed by ‘any person’, and that disclosure of the key is necessary to meet the requirements of s 49(3) (or any other statutory duty), an order may be made for key disclosure. [12]
The disclosure requirements are qualified by the necessity that the requirement is ‘proportionate to what is sought’.[13] There must also be no ‘reasonably practicable’ means of obtaining a decrypted copy of the information without making a disclosure notice.[14]
The accompanying Code of Conduct for Part III provides further detail as to what is envisaged by the proportionality requirement.[15] In determining proportionality, requestors should consider ‘the extent and nature’ of the protected information, and whether disclosure might have any negative impacts ‘on a business carried on’ by the requestee.[16] It is notable that the proportionality requirements mirror the requirements for interference with Article 8 of the ECHR. This suggests that the Home Office recognized that mandatory disclosure laws run the risk of interference with Convention rights at the time of drafting.
Failure to comply with a disclosure warrant under s 49 of the Act carries a sentence of up two years imprisonment in regular cases, or five years in national security or child indecency cases. Questions as to the efficacy of punishment in cases where the refusing requestees are avoiding harsher sentences. By way of example, possession of child sexual abuse material can carry a sentence of up to 10 years in the UK.[17] A defendant may strategically refuse to hand over their encryption key, subjecting themselves to a lesser punishment (if they cannot otherwise be prosecuted).
This approach can be compared to the punishments for failure to decrypt and hand over data under the All Writs Act.
Investigatory Powers Act 2016
The Investigatory Powers Act vastly expands and codifies Governmental surveillance powers in the UK. The act provides for widespread interception of communications, the request for communications data, and the decryption of encrypted information.[18]
The Act did not modify s 49 warrants under RIPA, but vastly increased the scope of UK intelligence’s powers to access decrypted data on encryption providers in the UK and beyond.
Under the 2016 act, the UK Government can serve Technical Capability Notices on operators requiring them to remove electronic protection on communications or data on an ongoing basis.[19] [20] This includes encryption, meaning de facto backdoors must be created into secure communications channels.
TCNs are issued as National Security Notices, and therefore are subject to the consideration of the Secretary of State.[21] They can only be issued if the Secretary considers that the notice ‘necessary in the interests of national security’ and are ‘proportionate to what is sought to be achieved by that conduct’.[22] Furthermore, National Security Notices cannot be used where the covered act would require a warrant or authorization under a relevant enactment.[23] TCNs can be issued to persons outside the UK and can require actions to be taken (or not taken) overseas.[24]
The IPA and the Extraterritorial Clash of Regimes
In comparative terms, the IPA provides for the most extensive interference in terms of the mandatory decryption of data – and the simultaneous creation of backdoors to facilitate doing so. The Commission proposal would overrule the IPA if the UK were to remain subject to EU law. Nonetheless, the imminent departure of the UK from the EU suggests that encryption rights for encryption providers will differ sharply between the two jurisdictions.
However, should the EU set the territorial scope of the Commission proposal as wide as the GDPR (insofar as it covers all European data), the UK may be forced to recognize manufacturer encryption rights. Specifically, if the EU were to encompass personal data flows and communications into the EU as subject to the proposed encryption regime, the UK would have to maintain stronger regulatory standards for protection. Communication providers may be forced to ensure that encrypted data is not subject to subsequent interference or backdoors as a result of TCNs.
The extraterritorial clash of privacy regimes has previously led to conflicts between the US and EU. The Schrems ruling overturning Safe Harbour suggests that the CJEU is willing to tackle surveillance-related interference with EU data. [25]
If the finished amendments to the ePrivacy Directive provide for encryption rights for manufacturers operating with EU data, the UK may have to meet EU privacy standards. An encryption-based Safe Harbour-esque deal may be struck, wherein foreign data is excluded from domestic and other international surveillance. This would impact both US and UK data and may be the next expansion of EU extraterritorial data policy post-GDPR.
[1] Kahn, The Codebreakers – The Story of Secret Writing (2nd edn, Scribner 1996).
[2] Rasheed, Encyclopedia of the History of Arabic Science (2nd edn, Routledge 1996).
[3] Lynn McNulty ‘Encryption’s Importance to Economic and Infrastructure Security’ (1999) 9 Duke Journal of Comparative & International Law 427, 427.
[4] ibid.
[5] ibid.429
[6] Denning, The Future of Cryptography. in Loader Bd (ed), The Governance of Cyberspace: Politics, Technology and Global Restructuring (Routledge 1997) 175.
[7] ibid 178.
[8] Hope ‘Theresa May to fight 2020 election on plans to take Britain out of European Convention on Human Rights after Brexit is completed’ (The Telegraph, 2016) accessible at <http://www.telegraph.co.uk/news/2016/12/28/theresa-may-fight-2020-election-plans-take-britain-european/> accessed 6 August 2017.
[9] Kravets ‘UK Prime Minister Wants Backdoors into Messaging Apps or He’ll Ban Them’ (Ars Technica, 2015) arstechnica.com accessible at <https://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/> accessed 6 August 2017.
[10] Anderson ‘A Question of Trust? Report of the Investigatory Powers Review’ (Independent Reviewer of Terrorism Legislation, 2016) accessible at < https://terrorismlegislationreviewer.independent.gov.uk/wp-content/uploads/2015/06/IPR-Report-Print-Version.pdf> accessed 6 August 2017.
[11] Regulation of Investigatory Powers Act 2000 s 49(3).
[12] ibid s 49(1).
[13] ibid s 49(2).
[14] ibid.
[15] Home Office ‘Investigation of Protected Electronic Information: Code of Practice’ (2007) accessible at <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97959/code-practice-electronic-info.pdf> accessed 6 August 2017.
[16] ibid.
[17] Criminal Justice and Court Services Act 2000 s 41(2).
[18] Cropper ‘The Investigatory Powers Act 2016 – A "Snoopers' Charter" or a legitimate surveillance tool for today's society?’ (Privacy, Security and Information Law, 2017) accessible at <http://privacylawblog.fieldfisher.com/2017/the-investigatory-powers-act-2016-a-snoopers-charter-or-a-legitimate-surveillance-tool-for-todays-society/> accessed 6 August 2017 (Cropper).
[19] Investigatory Powers Act 2016 s 253.
[20] Cropper (n 18).
[21] Investigatory Powers Act 2016 s 252.
[22] Ibid s 252 (1).
[23] Ibid s 253 (5).
[24] Ibid s 253 (7).
[25] Case C-362/14 Schrems v Data Protection Commissioner [2015].