Opinion: Britain can't pwn the world
The draft Investigatory Powers Bill gives Britain the power to prohibit companies from providing truly secure online communications, thus undermining the Web. But no country should have the right to pwn – hacker speak for "own" – the Internet.
Toby Melville/Reuters
While many believe that the release of Hong Kong in 1984 marked the end of the British Empire, it seems Britain has now shifted to conquering cyberspace.
A provision that would give the British government a new empire on which the sun never sets – the Internet – is hiding in the country's draft Investigatory Powers Bill.
The draft bill, expected to be introduced in Parliament early in 2016, renews and expands British authorities to conduct surveillance, including bulk surveillance. Several British and international digital rights groups, including Access Now, have already provided comments to key committees on the broad scope of the draft bill as well as the lack of sufficient human rights protections and oversight therein.
A key section in the controversial surveillance bill is designed to allow the government to prohibit any company, anywhere in the world, from offering communications services in Britain that are protected by the strongest security.
These obligations would apply to any "operator" that does business in Britain, which includes Internet businesses from across the globe. Specifically, these businesses could be banned from implementing end-to-end encryption – a form of encryption that protects against third-party access to private messages or transactions.
This is a threat to privacy and security across the globe.
All around the world, journalists, activists, and everyday people use end-to-end encryption to keep unauthorized parties – such as unfriendly governments, corrupt law enforcement, malicious hackers, would-be-blackmailers, thieves, or scammers – from accessing their private information. End-to-end encryption is mainly offered by companies committed to security and/or privacy. Silent Circle offers one end-to-end encrypted application. Signal has another. Apple's iMessage made it the default. And the list goes on.
Should the draft Investigatory Powers Bill become law in Britain, all of the companies that offer these services will have to make some hard decisions. Large companies that can afford it could build and maintain a totally different, and less secure, service for people who live there. But smaller companies would either have to cut off service to Britain altogether, or build in system vulnerabilities that negatively impact their users all around the world. Since the Internet is primarily made up of small companies and not high-profit empires, this would effectively allow the British government to impose their own standards on the rest of the world. The weak British security standard would become the de facto standard for most companies. The Internet would fall at the feet of one government.
Even more troubling, it may not be only one government for long. In the US, members of Congress and the US intelligence community have been talking about implementing similar authorities. Already, China has taken lessons from Britain and the US on surveillance and passed a law to mandate "decryption technical assistance," requiring that companies retain access to all user content. Without pushback from the public, India, France, and other countries may also take steps this year to weaken encryption. And other countries with different approaches for undermining security may further complicate an already complicated issue.
The result could be the irreversible rotting out of the basic services we have come to rely on in our everyday lives: services for banking, shopping, messaging, and social networking. Dangerously, passing antiencryption laws could give other countries justification to go even further, passing laws like mandatory data localization that would do additional damage to the foundation for the modern Internet. Broken up and riddled with security holes, the systems we have come to rely upon could ultimately collapse.
And for what? No government is going to be able to get rid of all end-to-end encrypted services. These services would still be available to those with the know-how and the funding to develop or procure them. Criminals would likely be the first to root out other ways to prevent authorities from accessing their communications. Instead of targeting and taking out the bad guys, these antiencryption laws would have a disproportionate negative impact on innocent users – people like you and me who just want to make sure that our private information stays private.
We can no longer sit idle while our governments wage war against the Internet and the innocent people who use it. It's time to wake up to the cybersecurity threat of what’s been called "cyber colonialism." Countries can – and should – take preventive measures to secure the Internet by passing laws to protect the development, production, and use of strong encryption. They should also disavow future legislation to mandate backdoors or any other requirements to weaken our security. We can start in the US, where many Internet companies are based.
As Britain's own Sir Tim Berners-Lee rightly argues, practices that target encryption would undermine the World Wide Web. No government, including Britain's, should have the power to pwn the Internet, and destroy it in the process.
Amie Stepanovich is the US policy manager for Access. Follow her on Twitter @astepanovich.