Other articles in this series:

The Investigatory Powers Act: A Pre-Commencement Briefing

The Investigatory Powers Act has, sadly but unsurprisingly, passed both houses of Parliament and will become law in the coming weeks.

This provides a valuable opportunity to take preemptive action against use of the Investigatory Powers Act in certain ways.

Most of my coverage of the legislation in its draft form still applies.

Briefing for end users

Briefing for ISPs, other service providers and general measures

Briefing for providers of other communications services and developers of cryptographic applications

See also the above section.

This legislation provides methods by which service providers who provide end-to-end encryption may be forced not only simply to provide data they already possess, but also to modify their services to facilitate access. The UK is not alone here; a comparable case in the US was Lavabit.

Communications services involving end-to-end cryptography which are designed cryptographically to withstand the compromise of servers, which involve separately distributed client applications can be secured by the easier and separable task of securing the distribution of the client application.

Conversely, communications services involving end-to-end cryptography which use browser-delivered JavaScript crypto cannot be secured from server compromise.

The simplest measure to take to mitigate the impact of the bill on transmissible goods and services, such as software or communications services, is to evacuate the UK jurisdiction and provide those goods and services from other locations.

Persons working on software or controlling non-UK communications services from within the UK may wish to institute code review or two-man systems as appropriate to mitigate the threat of coercion of persons inside the UK.

For software projects, consider instituting code review and requiring review by persons from a plurality of jurisdictions. Consider implementing reproducible builds for binary distribution, and ensure that all builds are made plurally using a plurality of persons and jurisdictions.

Facilities for communication with the software project or service should minimize the opportunities for first contact to be with a UK person liable to compulsion. Instead, project or organization points of contact should go to a person operating under a pre-agreed policy of publishing any communication made by any government worldwide made in prospect of weakening cryptographic systems, wherever it is legally possible to do so. These first contact persons should be chosen for their occupancy of strategically chosen jurisdictions. Adoption of this policy discourages governments from even attempting to solicit the weaking of cryptographic systems.

This advice also applies to distributors of software, not just the upstream developers. OS distros, for example, should assume that they may be threatened.

Make software open source where possible, as the nature of open source development makes it one of the most secure against government interference in cryptographic capability.

(Relevant parts of law: Equipment Interference warrants and the duty to assist conferred on third parties (s. 129); Technical Capability Notices.)

Definition of “telecommunications operator”

  1. “Telecommunications operator” means a person who—
    1. offers or provides a telecommunications service to persons in the United Kingdom, or
    2. controls or provides a telecommunications system which is (wholly or partly)—
      1. in the United Kingdom, or
      2. controlled from the United Kingdom.
  2. “Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).
  3. For the purposes of subsection (11), the cases in which a service is to be taken to consist in the provision of access to, and facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.
  4. “Telecommunications system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.

After staring at this section for some considerable time, I am not prepared to state with confidence that it does not include entities publishing cryptographic software but not providing communications services themselves.


Corrections welcome.

Other articles in this series: