Out-Law / Your Daily Need-To-Know

Planned UK regulations specify telecoms operators' duties on encryption

10 May 2017, 5:01 pm

Telecoms operators could be required to remove encryption applied to data or communications under draft new UK regulations the government is consulting on.

Under the plans, which would flesh out existing UK surveillance laws, the operators would only be obliged to remove encryption they have applied, or which has been applied on their behalf. They would not be required to remove encryption applied by third parties.

The proposals stem from powers the government has to set out the type of technical assistance that UK authorities such as law enforcement agencies and the intelligence services can expect to be given by telecoms operators when they exercise a warrant for the lawful interception of communications.

One of the obligations telecoms operators could be placed under, under the draft regulations, is a duty "to provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection".

The measure is set out in the draft Investigatory Powers (Technical Capability) Regulations 2017 and seeks to give practical effect to provisions contained in the UK's Investigatory Powers Act. As well as containing rules on the lawful interception of communications, the Act governs how UK authorities access 'communications data', gather data about the public in bulk, and use equipment interference methods.

The draft regulations were not made available for public consultation, but were instead published by civil liberties campaigners the Open Rights Group (ORG). The ORG explained which organisations had been consulted on the proposals in a post on its website. The "secret" consultation was criticised by the ORG's executive director Jim Killock.

Killock said: "The regulations would make the demands that [UK home secretary] Amber Rudd made to attack end-to-end encryption a reality. But if the powers are exercised, this will be done in secret. The public has a right to know about government powers that could put their privacy and security at risk. There needs to be transparency about how such measures are judged to be reasonable, the risks that are imposed on users and companies, and how companies can challenge government demands that are unreasonable."