New proposals for encryption 'back doors' planned by UK government in extension to internet surveillance

Plans for encryption back door keys to be held by telcos and ISPs and real-time web surveillance

The British government is leading a secret consultation over plans to effectively outlaw end-to-end encryption and extend web surveillance.

The consultation was begun in January with just a handful of the biggest internet service providers and telecoms companies and reveal how the government intends to compel them to provide it with real-time access to the communications of up to 10,000 people or ‘subjects' at a time.

The plans were revealed in a draft technical capability notice paper leaked last night.

All communications companies would be obliged to provide real-time access to security services and the police of the full content of anyone's web browsing with one working day's notice. They would also be obliged to hand over any ‘secondary data' relating to that individual.

The proposals mean that the government is effectively planning to outlaw end-to-end encryption by mandating a ‘back door' into any encryption product or service used in the UK, which could be unlocked by telecoms companies and internet service providers (ISPs) at any time on the request of the authorities.

The powers would be enacted under statutory instruments already enabled under the Investigatory Powers Act 2016, passed at the end of November.

However, they would need to be laid before Parliament under what is known as the ‘affirmative procedure'. That means that they would, at least, require the formal approval of both Houses of Parliament before becoming law.

The government is currently conducting a behind-closed-doors consultation with select telcos and ISPs who make up the telco side of the Technical Advisory Board - BSkyB, BT, Cable & Wireless, O2, Virgin Media and Vodafone. The draft proposals were leaked to the Open Rights Group.

Sections eight and nine make it abundantly clear what the government is planning.

Section eight would require ‘relevant telecommunications operators "To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection".

Section nine, meanwhile, obliges the same telecoms operators "To provide and maintain the capability to simultaneously intercept, or obtain secondary data from, communications relating to up to one in 10,000 of the persons to whom the telecommunications operator provides the telecommunications service to which the communications relate".

The ‘targeted consultation', conducted under Section 253 (6) of the Investigatory Powers Act, will only run for four weeks, concluding on 19 May. All responses should be emailed to [email protected]

GDPR: the three biggest challenges and how to tackle them. GDPR presents a number of tricky hoops for organisations to jump through, but few more challenging that the right to be forgotten, the rules on data transfer and data breach notifications.

Apply to join Computing and Forcepoint for this IT Leaders Dining Club on 7 June at the Savoy in London, along with other CIOs and technology leaders to discuss these challenges and share potential solutions.