This is my response to the UK Home Office consultation on the Draft Investigatory Powers (Technical Capability) Regulations 2017, not published online.
The draft regulations imply that, once passed, there will be a legal requirement for communication providers to build backdoors into encrypted or otherwise secured systems so that the security services can access messages in real time. This will apply to any service with more than 10,000 users.
The idea of having a “golden key”, “master key”, “key escrow” or some other system which allows authorized governmental access to the system has many problems including how to secure the key, how to distribute the key to those who are authorized and how to prevent independent security researchers from discovering the key.
You have no doubt already received responses explaining why this is a bad idea from a technical perspective so I won’t go into that in my response. I urge you to read resources such as: https://dspace.mit.edu/handle/1721.1/97690 and https://blog.cryptographyengineering.com/2015/04/16/how-do-we-build-encryption-backdors/ which explain the technicalities of why we should not build backdoors. Instead, I will comment as the co-founder and CEO of a small software business based in London.
My business develops software that is deployed into a wide range of enterprise IT environments for customers around the world. We put a lot of effort into securing our infrastructure and ensuring that we follow best practices for developing secure software. This includes the use of encrypted transport for the server performance data we collect, as well as encrypting user data such as passwords and other login tokens.
We are solving challenging technical problems with large volumes of data and high performance systems, which means we need to be able to recruit the best technical talent we possibly can. With regular involvement in the community through conferences and writing articles, we have built up a reputation as a good place to work that allows engineers to work on interesting problems, achieving their best work.
The UK and London in particular is highly regarded for its fintech startups. We are leading the way in well thought through banking regulation and allowing new financial products to be brought to market by innovative startups. As with my own company, these startups want to be able to access the best talent. Indeed, in recent days we have seen foreign businesses making major investments in London, Cambridge and Edinburgh due to the availability of talent and capital.
If these regulations force UK businesses to build backdoors into their software, against the advice of security experts, this will be considered by engineers to be building flawed software. Why would the top engineers want to be hampered by such legislation, and be associated with the damaged reputation of building insecure software? With a large market for engineers worldwide, especially with remote working (something my company uses to be able to find the best engineers, wherever they are), the best engineers will simply choose to work for non-UK companies.
Not only that, but these regulations apply only within the jurisdiction of the UK. Whilst it might be possible to force the major corporate owners of WhatsApp (Facebook) or iMessage (Apple) to reduce the security of their systems, there are so many alternative products that this simply causes those targeted to move to different messaging platforms. Why would any startup locate itself in the UK if it knew that should its product become successful i.e. Once it hit 10,000 users, it would then be required to implement a backdoor?
Given the cyber-skills shortage with the UK having the second largest cyber skills gap of 10 major countries (PN 554 page 4: “Skills Shortage”), does the government really want to introduce barriers to attracting and retaining the best talent?
Ultimately, I believe the technical barriers are sufficient to make these regulations useless. Anyone can use encryption because it’s just maths. There are many free and open source communication services which users will just move to. And the business impact will negatively affect the UKs ability to address concerns with cyber security, just when it is most needed.