The government is using national security as a “smokescreen” to refuse to disclose how many technical capability notices (TCNs) it has issued to telecoms and internet companies to secretly gain access to users’ encrypted communications and data, and make other modifications to their networks, it was claimed last night.
Senior Conservative MP David Davis told Computer Weekly there was “no credible case” for the government to refuse to tell Parliament how many notices it issues each year to telecoms and internet companies.
“The government is being dishonest in its use of ‘national security’ as a smokescreen to avoid telling the public how often it has ordered tech companies to hand over data or undermine encryption,” he said.
In response to written questions from Davis (here and here), Labour’s minister of state for security, Dan Jarvis, claimed he could not disclose how many TCNs the Home Office issues each year to phone and internet companies, citing national security.
Jarvis said it has been a “long-standing position that the government does not confirm or deny compliance of operators given a notice”.
The government is being dishonest in its use of ‘national security’ as a smokescreen to avoid telling the public how often it has ordered tech companies to hand over data or undermine encryption David Davis, Conservative MP
“We also do not publish the number of technical capability notices issued or release identities of those subject to a technical capability notice. To do so may identify operational capabilities or harm the commercial interests of companies,” he added.
TCNs issued to major telcos
The Home Office is required to seek approval from a technical advisory board, made up of representatives from the telecommunications industry and the intelligence services, before issuing TCNs. It is unclear whether the advisory board has ever objected to a TCN.
The Home Office is understood to have issued TCNs to every major UK telecommunications company and internet service provider. TCNs must be renewed every two years or are deemed to have lapsed, according to the code of practice (13.33).
Before the Investigatory Powers Act 2016, the government issued similar notices under Section 94 of the Telecommunications Act 1984.
A court ruling last year raised questions over the blanket use of secret government orders to weaken the encryption of technology company users.
The European Court of Human Rights found Russia had acted unlawfully when it ordered messaging service Telegram to assist in the decryption of users’ encrypted communications by providing data relating to the encryption key.
Podchasov versus Russia
In the case of Podchasov v. Russia, judges found: “Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications.”
They added: “Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications.”
Bernard Keenan, a lecturer in law at UCL and a specialist in surveillance law, said the case meant that any systemic undermining of an encrypted internet system was, by default, “disproportionate”, and if the UK intended to undermine end-to-end encryption, it should say so publicly.
“It seems to raise a really important point, which is to say that if you’re going to systemically weaken and create risks, that has to be foreseeable [under the law]. And that means you should at least say whether you are issuing these [TCNs],” he added.
Government response questioned
Pat Walshe, a data protection and privacy professional, said the government’s claim that disclosing the number of orders issued would damage national security was open to challenge.
“I think David Davis is correct to ask the questions and it’s neglectful of the government not to answer them. I would suggest respectfully to the government that disclosure of the numbers themselves would not compromise national security,” he said.
You cannot create a backdoor for the state without opening the same door to hostile states and cyber criminals. Once a vulnerability exists, it will be exploited David Davis, Conservative MP
“If they are saying it is, then I would respectfully ask the government to publish the impact assessment that proves the restriction on disclosure is necessary and proportionate to safeguard national security,” he added.
Davis told Computer Weekly that encryption safeguards everyone, including journalists, whistleblowers, businesses and the public.
“You cannot create a backdoor for the state without opening the same door to hostile states and cyber criminals. Once a vulnerability exists, it will be exploited,” he said.
Davis said the order issued against Apple is unlikely to be the first and only notice served, “yet we have no idea how many such notices have been issued, nor how often companies have resisted or complied”.
He added: “There is no credible national security case for withholding this information. The government’s refusal to publish even the number of these notices is not about security – it is about avoiding scrutiny.”
Need for warrants
Computer Weekly previously reported that, if the Home Office succeeds in securing the TCN against Apple, it would have to take many further legal and technical steps to obtain the cryptography keys to read messages and data from users of Apple’s Advanced Data Protection service.
This could include obtaining targeted warrants to monitor individual users of Apple, bulk warrants to target large numbers of users, or thematic warrants to target different classes of people using Apple’s services.
The Home Office would also have to serve “equipment interference warrants” to enable necessary “updates” and tampered apps to be sent to targeted Apple devices, according to forensic computer expert Duncan Campbell.
Davis said the government should focus on better-targeted intelligence and proper judicial oversight, rather than weakening the security of cloud services.
“Instead of strong-arming tech firms into weakening public protections, the government should focus on better-targeted intelligence, robust legal frameworks and proper judicial oversight. We do not defend British values by dismantling them,” he said.
It is widely believed that the Home Office has issued a similar TCN against Google, which develops the Android phone operating system.
