May 2024

Encryption under fire: UK’s Investigatory Powers Act amendments spark debate

Written by Positive Team

Encryption under fire: UK’s Investigatory Powers Act amendments spark debate

The Investigatory Powers Act (IPA) of 2016 governs how UK authorities access communication data. Now, amendments have been given royal assent which have ignited fierce debate.

While the government seeks to bolster national security by gaining a deeper look into encrypted messages and files, the potential consequences for the tech industry, user privacy, and innovation are raising concerns.

The government argues the amendments are necessary to give law enforcement a fighting chance against criminals who are increasingly exploiting encrypted communications to plot their activities, making it virtually impossible for authorities to monitor their plans. So, these amendments could provide a legal framework for obtaining access to encrypted data in “exceptional” circumstances, potentially thwarting attacks.

Security vs innovation 

One specific amendment focusing on “exceptional lawful access” methods will have a significant impact on the tech industry. Tech companies could be forced to develop tools that bypass encryption. This essentially offers the government a ‘backdoor’ to encrypted communication channels, which is pre-built into systems. 

Encryption is binary – information is either secure or vulnerable. Backdoors inherently introduce vulnerabilities, not just for UK citizens, but also globally. This would significantly weaken the overall effectiveness of encryption, jeopardising the confidentiality of sensitive information across various sectors.

The debate therefore hinges on striking a balance between national security and online privacy. While the amendments aim to address security concerns, the potential erosion of encryption and user trust could leave the UK more vulnerable in the long run.

The UK tech industry will fall behind

Tech giants like Meta and Apple have voiced strong opposition, fearing the legislation could force them to compromise user privacy features. This may, it’s feared, lead to an exodus of companies from the UK tech sector, stifling innovation and driving talent away.

Weakening trust in tech companies creates a vicious cycle. Consumers and businesses become hesitant to engage with companies seen as collaborators in increased government surveillance. This loss of trust could dampen the UK’s tech industry, as valuable talent and business opportunities migrate to more privacy-focused environments.

Making tech more vulnerable?

Another key area of contention is the government’s increased oversight of how companies address security vulnerabilities.

While the aim is to stay ahead of evolving threats, it could force companies to prioritise patching weaknesses identified by the government, taking resources away from fixing other critical issues.

On the surface, this seems like a positive step. In our ever-evolving threat landscape, staying ahead of the curve is crucial and the government, with its vast resources and intelligence gathering capabilities, might be able to identify vulnerabilities that companies miss.

While the aim is to stay ahead of evolving threats, it could force companies to prioritise patching weaknesses identified by the government, potentially taking resources away from fixing other critical issues.

The devil is in the details. Here’s why some experts are concerned:

Prioritisation headaches: The amendments could force companies to prioritise patching vulnerabilities flagged by the government, even if they have other critical issues on their plate. This could lead to a game of whack-a-mole, where companies are constantly playing catch-up with the government’s latest findings, neglecting other important security measures.

Resource strain: Fixing vulnerabilities is a resource-intensive process. By mandating companies to address government-identified issues first, they might be stretched thin, leaving less manpower and budget to tackle other security problems identified internally.

Transparency concerns: What criteria will the government use to identify these vulnerabilities? Will the companies be informed of the nature of the vulnerability, or will they be left patching a hole without fully understanding the threat?

Are citizens going to accept this?

Public trust in the government is already very low and public perception towards surveillance is a complex issue – with apathy from UK citizens towards CCTV cameras and other forms of surveillance. This could shift as people become increasingly aware of the vast amount of data they generate and its impact on their lives, especially if they realise just how much information the UK government will have access to.

The solution? Collaboration.

A more constructive approach would involve collaboration with the tech industry. Working together, the government and tech companies can find solutions that address security concerns without compromising user privacy and hindering innovation. The future of the UK’s tech sector, and potentially online security for all, rests on achieving this delicate balance.

Our newsletter

Sign up to our monthly industry insights