Skip to main content

Will the Investigatory Powers Bill enable hackers to access backdoors?

Audio player loading…

As the Investigatory Powers Bill wends its way through parliament, questions have been asked not just about the loss of privacy it will mean to anyone connecting to the internet in the UK, there are fears that calls by the government for backdoors in encryption could be counterproductive.

While it stops short of banning end-to-end encryption, it will require tech firms to allow backdoor access to police and security services. There are fears that this could make such activities as online banking hard, if not impossible, to do safely.

The trouble with having a backdoor such as this is that if the security services can decrypt secure communication, so can others, and most likely that means hackers and other criminals.

But Jonathan Sander, vice president of Product Strategy at Lieberman Software says that the debate about backdoors in encryption suffers from both psychological and technological misunderstandings.

"Many people apply the principle that people who have nothing to hide have nothing to fear from a universal backdoor to encryption," he says. "In an era when so many politicians all over the world are being caught out with emails and tweets, you would think government might appreciate how much encryption may mean in our everyday lives."

Driven by policymakers, not spies

Memset's head of Security Thomas Owen suspects that the direction towards state-mandated backdoors and the deliberate weakening of security is being driven by policymakers, not the intelligence agencies themselves.

"Such a policy speaks of a fundamental lack of understanding of the problem and the space that they are working in," he says.

He says, if anything, a similar bill going through the Dutch parliament is "even more alarming" than the current state of the UK Intelligence Powers Bill and provides a vehicle for "sweeping, unaccountable" rights for state agencies.

"In these uncertain times, one spokesperson's comments on what a government 'does not want' to do cannot be compared to what a government 'legally can' do. When faced with the next terrorist threat or other related zeitgeist, it seems inevitable that best intentions crumble into maximum capabilities," he warns.

Nicola Fulford, head of Data Protection and Privacy at Kemp Little, told us that there are certain difficulties around encryption as far as the bill is concerned.

"Under the bill, there is a right for the government to request communication service providers (CSPs) for disclosure of certain communications data, including internet connection records which covers instant messaging applications," she says. "It is worth mentioning that communications data is distinct from contents data. Communications data is information about who sent the communication, to whom, when, how and so on – crucially, it does not contain the content of the communication."

She adds that the bill requires CSPs to assist with giving effect to any warrants for communications data, including removing any encryption applied to that data.

"So if CSPs encrypt communications data and are served with the interception warrant, they will need to have the ability to 'unlock' the contents to comply with the warrant," she says.