It could put an end to end-to-end encryption in services such as WhatsApp: The U.K. government wants telecommunications providers to help it tap their customers' communications, removing any encryption the provider applied.
The government's desires are set out in a draft of the regulations obtained by Open Rights Group (ORG), which campaigns for digital civil rights.
"These powers could be directed at companies like WhatsApp to limit their encryption. The regulations would make the demands that [Home Secretary] Amber Rudd made to attack end-to-end encryption a reality. But if the powers are exercised, this will be done in secret," said ORG executive director Jim Killock.
The draft of the Investigatory Powers (Technical Capability) Regulations 2017 was circulated by government officials as part of a "targeted consultation" of some of the organizations that would have to comply with the law, the group said.
Its requirements will apply to fixed and mobile phone networks, but also the operators of cloud-based messaging services and social networks, according to an analysis of the law by Bird & Bird last November, when the act received royal assent.
Operators with over 10,000 users in the U.K. will have to modify their systems to provide government officials with on-demand access to their customers' communications, according to the draft regulation revealed Friday.
Previous surveillance laws in the U.K. have required operators to provide just the communications metadata, information about who is calling whom, when and where. This time, though, the government also wants operators to provide the content of their customers' communications in an intelligible form, and "to remove electronic protection applied by or on behalf of the telecommunications operator."
That, said ORG, could allow the government to compel companies to introduce backdoors to end-to-end encryption, or put in place other security weaknesses, with little accountability.
There will be no pleas of "Sorry officer, the surveillance system broke," as the draft regulation calls for the spying apparatus to be at least as reliable as the rest of the network.
Much of the Investigatory Powers Act -- and thus the draft regulation implementing it -- applies to companies worldwide as long as one end of the communication is in the U.K., although the government may have difficulty enforcing it, Bird & Bird noted in its analysis of the law.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.