David Cameron caves in on his encryption battle with Apple’s bosses

British prime minister David Cameron has relented in his crusade against encryption, with the UK’s House of Commons passing a watered-down bill that gives spy agencies the power to engage in bulk surveillance and computer hacking, but stops short of banning encryption.

The bill, which was introduced by the Conservative government in March after modifications to address concerns from tech companies and privacy advocates, passed by a vote of 444 to 69.

Most of the opposition Labour Party voted with the Conservative majority to advance the bill to the House of Lords, while the opposition Scottish National Party, citing concerns about privacy and civil rights, voted against it.

Many of the surveillance techniques – such as scooping up the metadata of communications and using malware to gain access to the computers and mobile phones of terrorism suspects – have already been in use by UK spy agencies. The new law now gives them explicit authority.

The legislation was sharply criticised by global technology companies when it was first proposed last year.

Apple chief executive Tim Cook warned of “dire consequences” if the bill passed with language weakening encryption.

And companies ranging from Facebook, Google and Microsoft to Twitter and Yahoo said that the law would undermine customers’ faith in their products and brands.

Meanwhile, Vodafone said it was worried about the cost of modifying its systems to comply with the new law and that allowing the government to hack into its network might compromise its stability and integrity. But the version of the bill passed on Tuesday makes clear that companies aren’t required to build backdoors to their encryption and will only be required to remove such code in response to a government request if doing so is technically feasible and not unduly expensive.

When Apple was battling with the US Federal Bureau of Investigation over breaking the encryption on the iPhone of the attacker in a mass shooting in San Bernardino, California, the company said it would require a dedicated team of engineers working for at least a month to figure out how to crack it or modify the lock screen to allow unlimited attempts to open the device. If this UK bill becomes law, it would be up to a British judge to decide if that kind of effort met the “technical feasibility and reasonable cost” test.

The bill also makes clear that the government will likely reimburse communications companies, including mobile operators, for the cost of complying with the new legal obligations, such as the requirement to retain records of all the websites its customers visit for at least a year.

Civil rights and privacy advocates have also opposed the bill and the revisions the government made in the final version hasn’t mollified them. “Minor botox has not fixed this bill,” said Shami Chakrabarti, the director of the civil rights group Liberty, when the final version was introduced in March.

The House of Lords will now consider the proposed law, known as the Investigatory Powers Bill. The legislation, which some critics have branded a snooper’s charter, will also be analysed by a panel of legal experts chaired by David Anderson, the UK’s independent reviewer of terrorism legislation.

Anderson will issue a report on the bill – including an opinion on whether the bulk surveillance powers the government is asking for are justified – in time for the Lords final vote on the bill sometime in the fall. If it passes, the law will go into effect in January 2017.

The bill will be interpreted as a partial victory for Apple and other tech companies that objected to the perceived assault on encryption inherent in earlier versions of the parliamentary bill.

In an unprecedented move, Apple had submitted written evidence on the issue before the Investigatory Powers Bill scrutiny committee in the British House of Parliament. The tech giant claimed that cracking down on encryption would weaken the security of “hundreds of millions” of people who use Apple’s iMessage and Facetime communications platforms.

“The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers,” said Apple’s submission at the time. “A key left under the doormat would not just be there for the good guys. The bad guys would find it too.”

British Prime Minister David Cameron has publicly backed a tightening of laws against encryption, arguing that it is necessary to intercept and prevent terrorist attacks.

“Do we want to allow a means of communication between two people which even in extremis with a signed warrant from the home secretary personally that we cannot read?” he said in a parliamentary debate on the issue last year. “My answer to that question is no, we must not. The first duty of any government is to keep our country and our people safe.”

But this approach has been decried by a number of senior tech industry executives as misguided, with encryption seen as a basic standard rather than an ultimate one.

“Some have asserted that, given the expertise of technology companies, they should be able to construct a system that keeps the data of nearly all users secure but still allows the data of very few users to be read covertly when a proper warrant is served,” said Apple’s submission to the UK parliamentary committee.

“But the government does not know in advance which individuals will become targets of investigation, so the encryption system necessarily would need to be compromised for everyone.

“The best minds in the world cannot rewrite the laws of mathematics. Any process that weakens the mathematical models that protect user data will by extension weaken the protection.

“And recent history is littered with cases of attackers successfully implementing exploits that nearly all experts either remained unaware of or viewed as merely theoretical.”

Last November, Cook told the Irish Independent that Europe is “leading the world” on privacy and is the place he feels most “at home” on the issue. He said that many of Europe’s instincts on privacy align more closely to his own than other jurisdictions.

Source | Independent