Microsoft, Google, Facebook to U.K.: Don’t weaken encryption
In a joint written submission to the U.K. Parliament the three U.S.-based companies lay down several areas of concern, which, if not addressed, they say could damage their businesses and leave them caught in legal crossfires among the many countries where they do business.
The companies say they don’t want the U.K. to impose restrictions and apply them to foreign service providers such as themselves because, if other countries followed suit, it would lead to a morass of laws impossible to navigate. “Conflicts of laws create an increasingly chaotic legal environment for providers, restricting the free flow of information and leaving private companies to decide whose laws to violate,” the submission says.
They staunchly support encryption without backdoors. “The companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide,” they write. “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means.”
Despite what the U.K.’s Home Secretary Theresa May has said about not seeking encryption backdoors, they want it in writing. “We appreciate the statements in the Bill and by the Home Secretary that the Bill is not intended to weaken the use of encryption, and suggest that the Bill expressly state that nothing in the Bill should be construed to require a company to weaken or defeat its security measures.”
The Parliament is considering bills that would give government agencies access to communications across service provider networks with proper legal authorization, which would affect Microsoft, Google and Facebook, all of which operate globally and face compliance with laws in many countries.
As the U.K. is considering such laws, the Netherlands have rejected forcing providers to break encryption on demand. In the U.S., Congress has held hearings in which members say they will propose legislation to require providing cleartext versions of encrypted traffic when presented with a judge’s order.
The three companies ask that if the U.K. does create lawful access to encrypted communications, companies based outside the U.K. would not be required to comply if that would go against laws it has to follow in other countries.
They urge an international agreement on how the lawful-access laws of individual countries should be observed in other countries to remove ambiguities that might prevent them from complying with all of them.
The companies want to protect customer privacy by requiring notification of those whose communications are intercepted. “While it may be appropriate to withhold or delay notice in exceptional cases, in those cases the burden should be on the Government to demonstrate that there is an overriding need to protect public safety or preserve the integrity of a criminal investigation,” they say.
They also seek to protect data stored in the cloud the same way it is protected in private data centers. The government should go to a business if it is seeking a business’s data, just as it did before cloud services existed. “This is an area where the UK can lead the rest of the world, promoting cloud adoption, protecting law enforcement’s investigative needs, and resolving jurisdictional challenges without acting extraterritorially,” they say.
They note that the draft lacks requirements for agencies to tell the providers if they know of vulnerabilities in their networks that could be exploited, and that any authorized actions agencies take don’t introduce new vulnerabilities.
Microsoft, Google and Facebook seem concerned that agencies granted legal access to their networks might alter them lest that have a negative effect on the services they deliver over those networks. “The clearest example is the authority to engage in computer network exploitation, or equipment interference,” they say. “To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your Government to reconsider.”
The companies want protections for their executives located within the U.K. They want warrants, when they have to be served on communications companies, to be served to officers of the companies who are located at the companies’ headquarters, not to employees of the companies located in the U.K. “We have collective experience around the world of personnel who have nothing to do with the data sought being arrested or intimidated in an attempt to force an overseas corporation to disclose user information,” they write. “We do not believe that the UK wants to legitimize this lawless and heavy-handed practice.”
They don’t want to be forced to create and retain data about customers that they don’t already in the normal course of business. “Some language under the retention part of the Bill suggests that a company could be required to generate data – and perhaps even reconfigure their networks or services to generate data – for the purposes of retention,” they write.
The companies think whatever judicial approvals are required to issue warrants to decrypt communications ought to apply to other U.K. orders issued to communications providers by the U.K.’s Defense Intelligence and other intelligence services. These other orders include national security notices, maintenance of technical capability orders, and modifications to equipment interference warrants.
They want the law to narrowly define bulk collection of data so it doesn’t include all traffic on a given channel, but rather is restricted to traffic specified by specific indicators such as source and destination, for example. The law should allow only necessary and proportionate amounts of data be analyzed and retained, and the rest be destroyed, they say.
Service providers should be allowed to hire attorneys and protest warrants without running the risk of violating disclosure laws or acknowledging that they actually are subject to the law, they write.
They take exception to a single word – urgent – not being defined in drafts of the law where it says requiring decryption of communications in urgent cases. “Clarity on this term - which other countries may seek to emulate and even abuse - is important,” they say.