Global Encryption Coalition Steering Committee Statement on Proposed Revisions to the UK’s Investigatory Powers Act

The Center for Democracy & Technology, Global Partners Digital, the Internet Freedom Foundation, the Internet Society, and Mozilla, constituting members of the Global Encryption Coalition’s Steering Committee, issued the following statement regarding proposed revisions to the UK’s Investigatory Powers Act. 

On 8 November 2023 the first reading of the Investigatory Powers (Amendment) Bill was held in the House of Lords. This Amendment Bill seeks to expand existing UK interception and surveillance powers that were established in the 2016 Investigatory Powers Act.

The Amendment Bill proposes changes that would interfere with the ability of providers to offer strong encryption in their products, which in turn would harm the security of users not just in the UK, but around the world. Two proposed changes are of particular concern: 

  1. The obligation for providers to notify the Secretary of State before making technical and other relevant changes to their products; and
  2. The requirements for providers to refrain from making any technical changes to their services pending the review of an appeal against a notice issued under the IPA.

These changes would introduce bureaucratic obstacles that would disincentivize, delay, or even halt the development and deployment of security updates for services operating in the UK. In today’s cybersecurity risk environment, these updates are enormous in number and importance, and these new requirements would backlog them when swift implementation is required. In effect, the UK government would become the arbitrator of how and when technology is secured and maintained, undermining user trust in the safety and security of services and products. 

These concerns are heightened by the interaction between the Investigatory Powers Act (Amendment) Bill and the recently passed Online Safety Act as the government potentially gains new powers to interfere in the security features of user products as well as to perhaps require that companies use privacy-violating detection technologies, like client-side scanning, to scan the encrypted messages of their users. 

As the Amendment Bill enters its First Reading in the House of Commons, we call on Members of Parliament to reject proposals that would interfere with the ability of providers to develop and deploy security-enhancing technologies, including encryption. We encourage policymakers to refer to the recently published open letter addressed to the UK Home Secretary from security experts that was signed by several technical expert members of the Global Encryption Coalition and identifies the security risks associated with the proposal in detail.