The four-week consultation apparently started on 21 April, giving telecoms operators – which it will affect – and others only until 19 May to respond.
Jim Killock, executive director of the Open Rights Group, said: “These powers could be directed at companies like WhatsApp to limit their encryption. The regulations would make the demands that [government minister] Amber Rudd made to attack end-to-end encryption a reality. But if the powers are exercised, this will be done in secret.”
A calculation of when the consultation started shows that the Home Office, the UK government’s interior ministry, slipped it out just three days after Prime Minister Theresa May announced her intention to call a general election.
That means that most people’s attention was focused on national politics. And the UK’s parliament was dissolved in preparation for the election last week, on 2 May, so no politicians will be in office to take part in the consultation: the election is on 8 June and the new parliament will gather on 19 June, a full month after the consultation ends.
Other consultations have been delayed because of the election. For example telecoms regulator Ofcom started a consultation on 16 March about Twenty-First Century Fox’s bid to take 100% control of Sky, and said it would advise the government by 16 May. But when the election was called, Ofcom said it would delay its report until 20 June.
The security consultation (PDF) covers changes to the UK’s Investigatory Powers Act, which governs who can authorise interception of messages and in what circumstances. Under the proposed rule change, telecoms operators and internet service providers will be required to provide data about calls and emails within 24 hours of being notified by a government official. UK law has already been criticised by the Court of Justice of the European Union (EU), to which the UK is still subject until it leaves the EU.
Killock said: “There needs to be transparency about how such measures are judged to be reasonable, the risks that are imposed on users and companies, and how companies can challenge government demands that are unreasonable.”
In March Rudd, who as Home Secretary – the minister in charge of the Home Office – is responsible for security matters, complained about the end-to-end encryption in WhatsApp and other messaging services. She said that police and other agencies should be allowed to insist that messaging companies should provide decrypted contents. This proposed change appears to set up the rules for that.
The rules says that companies should “provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection”. It also will want the data to be transmitted “in near real time to a hand-over point as agreed with the person to whom the warrant is addressed”.
Operators will need to maintain facilities to intercept the communications of up to one in 10,000 of their customers, says the Home Office draft rule. They will have to minimise the likelihood that any unauthorised persons learn of the intercept.
“The public has a right to know about government powers that could put their privacy and security at risk,” said Killock. “Businesses and the public need to know they aren’t being put at risk. Sometimes, surveillance capabilities may be justified and safe: but at other times, they might put many more people – who are not suspected of any crime – at risk.”
But Killock warned: “Selective, secret consultations have no place in open Government.”