Analysis The Home Office’s war on encryption – its most technically complex and controversial aspect of modern policymaking yet – is starting to look like battlefield failure after more than ten years of skirmishes.
First tabled by former prime minister David Cameron in 2015 following a terrorist shooting at the offices of French satirical magazine Charlie Hebdo, vague wording alluded to a potential ban in the Investigatory Powers Act 2016.
The roots of the government’s anti-encryption agenda were deeper and older, though. As early as the year 2000, the UK government’s stance on encryption was marked by a push for the ability to intercept encrypted comms, namely via the Regulation of Investigatory Powers Act (RIPA)..
Recent reporting suggests, however, that after a decade-plus losing battle to break the fundamental privacy protections that end-to-end encryption (E2EE) provides users, the Trump administration could halt those plans for good.
Security experts, privacy geeks, and pretty much everyone who has the faintest clue about how E2EE works knows that backdooring the likes of iMessage and WhatsApp is impossible. Data is either end-to-end encrypted or it isn’t. There is no in-between.
That has not stopped multiple ruling parties in the UK from pushing on with anti-encryption rhetoric.
And yet, despite heavy backlash from the tech industry and beyond about the feasibility of undermining encryption, the country’s lawmakers have affected change.
After it served Apple with demands to break encryption earlier this year, the tech giant threw the technically confused UK government a bone by shuttering its Advanced Data Protection iCloud feature for all Brits.
However, it seems Home Office staff are now coming to terms with the fact that the Trump administration will block any attempt to further strongarm Amercia’s tech companies.
Insiders told the Financial Times, speaking on condition of anonymity, that the Trump administration’s disapproval of the UK’s plans, which the president has previously likened to Chinese-style policymaking, is the main obstacle in achieving its encryption-busting ambitions.
Officials know the US doesn’t want anyone touching its tech companies. For the UK’s closest ally – historically at least – it’s a firm red line.
Should the UK indeed back down on its encryption ban ambitions, it would raise further questions over its sovereignty – its ability to set its own laws without having to bend the knee to the US.
There is not an abundance of cases whereby the UK’s legislature has been forced to back down in the face of political pressure overseas, although some might say Huawei’s removal from Britain’s 5G networks – with the government issuing legal notices to vendors after US sanctions in combination with a severe diplomatic push – might be an example of this. Another semi-recent example came in 2022 concerning the UK’s plan to ship asylum seekers off to Rwanda.
The EU said that plan broke international law and the European Court of Human Rights (ECtHR) issued an interim measure to stop the first deportation flights until UK courts could assess the legality of it all.
The legislation was passed by Rishi Sunak’s UK government last year, but the new incoming Prime Minister Kier Starmer binned the program not long after taking office, as promised in his election run.
Ironically, the EU tabled its own regulation earlier this year to send illegal immigrants to “return hubs,” one of which is rumored to be… Rwanda.
Back to the point at hand, legal experts who spoke to The Register when the UK-Apple encryption furor kicked off in January, said the UK could risk another run-in with the ECtHR if it went ahead with its encryption plans, putting it on a similar level to Russia.
Will Richmond-Coggan, partner at Freeths specializing in privacy and cybersecurity disputes, told us: “Insisting on this level of access, even with judicial supervision of the process, may well place the UK on a collision course with previous decisions made in the European Court of Human Rights, which has previously ruled (in the case of a similar attempt by Russia to broaden the scope of its domestic surveillance capabilities) that this contravened people’s privacy rights.”
A reminder: in its pursuit of an encryption backdoor, workaround, or however it’s dressed up, the UK has been compared by its closest political ally to China, while legal experts say the potential for human rights violations would put it on par with Putinland.
That’s not even considering all the other countries that are known for questionable policies to human rights, free speech, surveillance, et al.
Separate from the unwelcome company the UK would keep, such a move could lead to diplomatic difficulties with the US, with Home Office officials reportedly concerned over how future tech deals with the US could play out.
Tulsi Gabbard, the US’s director of national intelligence, previously said of the Apple technical capability notice (TCN) that she was not made aware prior to it being issued.
She added that if the UK mandated an encryption workaround, it would be an “egregious violation” of public privacy which could risk the data agreement held between the UK and US.
Putting aside the potential embarrassment of the US shutting down decade-long UK policymaking efforts, privacy advocates will rejoice if the UK’s attempts to bypass E2EE are foiled or otherwise buried.
The UK will no doubt have a soundbyte ready showing there was a reasonable compromise between achieving its encryption ambitions and appeasing political allies.
It’s a tough one to predict how it will play out. Tech regulation and legislation is a difficult beast, and the debate on legally circumventing encryption will not end.
The debate is especially “thorny,” as one individual told The Register, because even the experts can’t land on a definitive resolution. Privacy campaigners are adamant that E2EE must remain impregnable, while some cybersecurity folk – usually a bunch that lean on the side of technology – are less absolute in their takes.
Graeme Stewart, head of public sector at Check Point, said: “There’s no easy answer. Personally, I don’t see any value in banning encryption or VPNs. It’s a deeply flawed idea driven more by political posturing than technological reality. That said, we do need mechanisms for lawful intercept when absolutely necessary. And we do want to protect children from harmful online content.”
In his view, he thinks the way forward is to take action on other components that facilitate online harms. Instead of banning encryption on social media platforms, why not mandate social media sign-ups with government-backed digital IDs, for example?
### Thorny, disjointed, and divisive
The Home Office’s official lines on encryption are confused. It says it has no intention of compelling messaging platforms to break encryption, but also demands they implement safety features to help detect criminal activity.
As part of its TCNs, it also requires relevant operators to assist the government in intercepting data.
Frustratingly for encrypted messaging platforms, it does not specify the ways in which they must do this.
So, you can see why these platforms are threatening to pull out of countries that seek to ban or undermine E2EE, or do so indirectly.
One of the prominent suggestions for allowing E2EE to exist while also appeasing the UK government is for platforms to deploy client-side scanning (CSS). This would see content generated on a user’s phone matched against a database of objectionable material, before being encrypted and sent to the recipient.
The problem here is that while messages technically are end-to-end encrypted, and platforms could still say they offer E2EE, the entire purpose of the tech is undermined.
The spirit of E2EE dictates that users enjoy total privacy, and can share their messages free from surveillance of any kind.
Digital rights group Access Now said this implementation would “deprive people of their confidentiality.” Senior policy counsel and encryption policy lead, Namrata Maheshwari, blogged:
“Storing the database on a device, which contains granular, sensitive personal information including media, notes, search histories, banking information, and medical data, is a debilitating attack on privacy.”
“Such a database could be modified and controlled by an external entity, without any user control; essentially converting any personal device into a potential ‘bug in our pocket’.”
The government would promise the database is protected with only the highest degrees of security, and yet some of the most sensitive databases in the country have been raided by cybercriminals.
Put simply, E2EE cannot be broken while maintaining the same trust it has now.
The Register has contacted the Home Office for a response. We’re not expecting one because it has so far refused to even admit the existence of the TCN. ®
**Get our** Tech Resources
Recent reporting suggests, however, that after a decade-plus losing battle to break the fundamental privacy protections that end-to-end encryption (E2EE) provides users, the Trump administration could halt those plans for good.
That has not stopped multiple ruling parties in the UK from pushing on with anti-encryption rhetoric.
Another semi-recent example came in 2022 concerning the UK’s plan to ship asylum seekers off to Rwanda.
Instead of banning encryption on social media platforms, why not mandate social media sign-ups with government-backed digital IDs, for example?
Frustratingly for encrypted messaging platforms, it does not specify the ways in which they must do this.
Analysis The Home Office’s war on encryption – its most technically complex and controversial aspect of modern policymaking yet – is starting to look like battlefield failure after more than ten years of skirmishes.
First tabled by former prime minister David Cameron in 2015 following a terrorist shooting at the offices of French satirical magazine Charlie Hebdo, vague wording alluded to a potential ban in the Investigatory Powers Act 2016.
The roots of the government’s anti-encryption agenda were deeper and older, though. As early as the year 2000, the UK government’s stance on encryption was marked by a push for the ability to intercept encrypted comms, namely via the Regulation of Investigatory Powers Act (RIPA)..
Recent reporting suggests, however, that after a decade-plus losing battle to break the fundamental privacy protections that end-to-end encryption (E2EE) provides users, the Trump administration could halt those plans for good.
Security experts, privacy geeks, and pretty much everyone who has the faintest clue about how E2EE works knows that backdooring the likes of iMessage and WhatsApp is impossible. Data is either end-to-end encrypted or it isn’t. There is no in-between.
That has not stopped multiple ruling parties in the UK from pushing on with anti-encryption rhetoric.
And yet, despite heavy backlash from the tech industry and beyond about the feasibility of undermining encryption, the country’s lawmakers have affected change.
After it served Apple with demands to break encryption earlier this year, the tech giant threw the technically confused UK government a bone by shuttering its Advanced Data Protection iCloud feature for all Brits.
However, it seems Home Office staff are now coming to terms with the fact that the Trump administration will block any attempt to further strongarm Amercia’s tech companies.
Insiders told the Financial Times, speaking on condition of anonymity, that the Trump administration’s disapproval of the UK’s plans, which the president has previously likened to Chinese-style policymaking, is the main obstacle in achieving its encryption-busting ambitions.
Officials know the US doesn’t want anyone touching its tech companies. For the UK’s closest ally – historically at least – it’s a firm red line.
Should the UK indeed back down on its encryption ban ambitions, it would raise further questions over its sovereignty – its ability to set its own laws without having to bend the knee to the US.
There is not an abundance of cases whereby the UK’s legislature has been forced to back down in the face of political pressure overseas, although some might say Huawei’s removal from Britain’s 5G networks – with the government issuing legal notices to vendors after US sanctions in combination with a severe diplomatic push – might be an example of this. Another semi-recent example came in 2022 concerning the UK’s plan to ship asylum seekers off to Rwanda.
The EU said that plan broke international law and the European Court of Human Rights (ECtHR) issued an interim measure to stop the first deportation flights until UK courts could assess the legality of it all.
The legislation was passed by Rishi Sunak’s UK government last year, but the new incoming Prime Minister Kier Starmer binned the program not long after taking office, as promised in his election run.
Ironically, the EU tabled its own regulation earlier this year to send illegal immigrants to “return hubs,” one of which is rumored to be… Rwanda.
Back to the point at hand, legal experts who spoke to The Register when the UK-Apple encryption furor kicked off in January, said the UK could risk another run-in with the ECtHR if it went ahead with its encryption plans, putting it on a similar level to Russia.
Will Richmond-Coggan, partner at Freeths specializing in privacy and cybersecurity disputes, told us: “Insisting on this level of access, even with judicial supervision of the process, may well place the UK on a collision course with previous decisions made in the European Court of Human Rights, which has previously ruled (in the case of a similar attempt by Russia to broaden the scope of its domestic surveillance capabilities) that this contravened people’s privacy rights.”
A reminder: in its pursuit of an encryption backdoor, workaround, or however it’s dressed up, the UK has been compared by its closest political ally to China, while legal experts say the potential for human rights violations would put it on par with Putinland.
That’s not even considering all the other countries that are known for questionable policies to human rights, free speech, surveillance, et al.
Separate from the unwelcome company the UK would keep, such a move could lead to diplomatic difficulties with the US, with Home Office officials reportedly concerned over how future tech deals with the US could play out.
Tulsi Gabbard, the US’s director of national intelligence, previously said of the Apple technical capability notice (TCN) that she was not made aware prior to it being issued.
She added that if the UK mandated an encryption workaround, it would be an “egregious violation” of public privacy which could risk the data agreement held between the UK and US.
Putting aside the potential embarrassment of the US shutting down decade-long UK policymaking efforts, privacy advocates will rejoice if the UK’s attempts to bypass E2EE are foiled or otherwise buried.
The UK will no doubt have a soundbyte ready showing there was a reasonable compromise between achieving its encryption ambitions and appeasing political allies.
It’s a tough one to predict how it will play out. Tech regulation and legislation is a difficult beast, and the debate on legally circumventing encryption will not end.
The debate is especially “thorny,” as one individual told The Register, because even the experts can’t land on a definitive resolution. Privacy campaigners are adamant that E2EE must remain impregnable, while some cybersecurity folk – usually a bunch that lean on the side of technology – are less absolute in their takes.
Graeme Stewart, head of public sector at Check Point, said: “There’s no easy answer. Personally, I don’t see any value in banning encryption or VPNs. It’s a deeply flawed idea driven more by political posturing than technological reality. That said, we do need mechanisms for lawful intercept when absolutely necessary. And we do want to protect children from harmful online content.”
In his view, he thinks the way forward is to take action on other components that facilitate online harms. Instead of banning encryption on social media platforms, why not mandate social media sign-ups with government-backed digital IDs, for example?
Thorny, disjointed, and divisive
The Home Office’s official lines on encryption are confused. It says it has no intention of compelling messaging platforms to break encryption, but also demands they implement safety features to help detect criminal activity.
As part of its TCNs, it also requires relevant operators to assist the government in intercepting data.
Frustratingly for encrypted messaging platforms, it does not specify the ways in which they must do this.
So, you can see why these platforms are threatening to pull out of countries that seek to ban or undermine E2EE, or do so indirectly.
One of the prominent suggestions for allowing E2EE to exist while also appeasing the UK government is for platforms to deploy client-side scanning (CSS). This would see content generated on a user’s phone matched against a database of objectionable material, before being encrypted and sent to the recipient.
The problem here is that while messages technically are end-to-end encrypted, and platforms could still say they offer E2EE, the entire purpose of the tech is undermined.
The spirit of E2EE dictates that users enjoy total privacy, and can share their messages free from surveillance of any kind.
Digital rights group Access Now said this implementation would “deprive people of their confidentiality.” Senior policy counsel and encryption policy lead, Namrata Maheshwari, blogged:
“Storing the database on a device, which contains granular, sensitive personal information including media, notes, search histories, banking information, and medical data, is a debilitating attack on privacy.”
“Such a database could be modified and controlled by an external entity, without any user control; essentially converting any personal device into a potential ‘bug in our pocket’.”
The government would promise the database is protected with only the highest degrees of security, and yet some of the most sensitive databases in the country have been raided by cybercriminals.
Put simply, E2EE cannot be broken while maintaining the same trust it has now.
The Register has contacted the Home Office for a response. We’re not expecting one because it has so far refused to even admit the existence of the TCN. ®
Get our Tech Resources
