Today, the UK government will announce details of the Draft Investigatory Powers Bill, a piece of legislation that will propose sweeping surveillance powers for law enforcement. These are expected to include the retention of citizens' internet browsing history, and restrictions on encryption.The Telegraph reports the legislation will ban companies such as Apple from offering customers robust end-to-end encryption which results in communications not being accessible to law enforcement even when they have a warrant. Other reports suggest the idea of a ban will be walked back.Meanwhile, a document published by a department of the Government Communications Headquarters (GCHQ), the UK's version of the National Security Agency (NSA), shows the government clearly recognises the benefit of strong encryption for its own purposes, even for everyday communications. Security researcher and developer of the Signal encrypted messaging app Frederic Jacobs pointed out the document on Twitter.So hardly top secret stuff, but rather the sort of details that even ordinary citizens could put into voice calls every day.
Advertisement
The National Technical Authority for Information Assurance (CESG), which acts as the information security arm of GCHQ and provides information security advice to the UK government, this month published "Secure Voice at OFFICIAL," a document which "provides an overview of secure voice technology for protecting OFFICIAL and OFFICIAL SENSITIVE communications.""OFFICIAL" is the lowest security classification of government material, and refers to "the majority of information that is created or processed by the public sector," according to a government paper from April 2014. "This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile," it explains. One example given is "personal information that is required to be protected under the Data Protection Act (1998) or other legislation (e.g. health records)," and another is "the day to day business of government, service delivery and public finances."While UK Gov works on banning end-to-end encryption, CESG (GCHQ IA) urges gov & enterprise to adopt it? ¯\_(ツ)_/¯ pic.twitter.com/lVgxdE8yPl
— Frederic Jacobs (@FredericJacobs) November 3, 2015
Advertisement
The paper lists some of the risks to unencrypted voice data: these include an attacker with network access being able to snoop on a call's content and metadata, or intercepting calls by setting up a fake cell phone tower or controlling infrastructure.Bearing this in mind, the document points out that the normal public telephone network is not suitable for communications on certain security levels."Under the new government classification scheme, at OFFICIAL and OFFICIAL SENSITIVE, we therefore recommend the use of a CPA-approved solution to protect real-time communications," the document reads.According to the paper, the only product approved so far by CESG's Commercial Product Assurance (CPA) programme is Cryptify Call, available for both iOS and Android and offers end-to-end encryption. Two other products are going through an approval process, and "CESG is committed to growing the ecosystem to support more vendors and service providers."Notably, in light of looming restrictions on end-to-end encryption, CESG says CPA-approved products "can be used by government, the wider public sector and industry."Neither CESG nor GCHQ responded to a request for comment by time of publication.As citizens may be told they can't use certain secure, end-to-end encryption because of looming threats from terrorists, pedophiles and criminals, it seems the government is well aware of the technology's benefits for itself.The government is well aware of the technology's benefits for itself