UK's National Crime Agency: Yes, We Could Ask Apple to Remove Encryption

An NCA official said on Tuesday that under the Investigatory Powers Bill, the agency could request Apple to remove encryption.

|
Apr 19 2016, 3:38pm

Photo: The National Crime Agency/Flickr

On Tuesday, an official from the National Crime Agency (NCA)—essentially the UK's version of the FBI—said that under the proposed Investigatory Powers Bill, the agency could request Apple to remove encryption.

Chris Farrimond, deputy director intelligence collection at the NCA, said this was the case in response to a question posed by Ian Brown, professor of information security and privacy and the Oxford Internet Institute, which is part of Oxford University.

The Investigatory Powers Bill is an attempt to bring together the UK's varied, and arguably muddled, surveillance powers under one legislative umbrella, and provide new powers too. It has been the dominant policy topic amongst law enforcement, privacy campaigners, and experts in the UK for the past six months.

Section 218(9) of the bill reads that someone who has been provided with such a notice "must comply."

The question concerning Apple and encryption was asked during a public panel discussion at Parliament, called "Cross-Border Data Requests and the Investigatory Powers Bill." Brown confirmed the exchange to Motherboard.

A tweet from Silkie Carlo, from campaign group Liberty, stated that Farrimond had said the agency could "force" Apple to remove encryption.

A spokesperson from the NCA told Motherboard that Farrimond "stated something along the lines of that according to the bill as currently drafted we could request this." Farrimond responded with his own tweet, also clarifying that he said "request."

With that being said, Section 218(9) of the bill reads that someone who has been provided with such a notice "must comply." The Home Secretary must also "take into account the technical feasilbity, and likely cost, of complying with those obligations."

The Investigatory Powers Bill would force internet service providers to store browsing data of all customers for 12 months. The bill, which is currently going through the debate process in the House of Commons, would also introduce new authorisations for how law enforcement carries out its computer hacking capabilities.

Elsewhere in the over 250-page bill are sections referring to the removal of "electronic protection" of data. This has been widely interpreted by tech companies and civil liberties groups as a legal capability to force firms to strip customer's devices or communications of encryption.

"We believe encryption is important, we are not proposing to make any changes to encryption and the legal position around that," the Home Secretary Theresa May said during an evidence session for the bill in January.

But, the bill clearly still gives the expectation that companies should be able to hand over data in an intelligible form when demanded to do so.

"We're not saying that we want keys to their encryption," May continued in the hearing. "The government doesn't need to know what the encryption is, but if there's a lawful warrant it's about that information being readable."

This position sits at odds with the reality of how many encryption systems work today. Increasingly, companies are putting encryption keys in the control of individual users, meaning that even the firm typically cannot obtain plain-text data itself. When it comes to Apple, the current debate is focused mostly around the company's hard-drive encryption, and in particular how it is applied to its later generation of iPhones.

More broadly, many companies are expanding their deployment of end-to-end encryption, used to secure communications such as texts, video, or audio calls. Earlier this month, WhatsApp turned on a much more robust implementation of encryption for all of its 1 billion users, meaning that the company cannot read or provide copies of its users' chats to law enforcement.

With these developments in mind, it's not clear how the NCA would expect to, technologically, obtain decrypted data from Apple, but perhaps similar legal challenges to those that have played out in the US could appear in the UK.