Britain’s intelligence services have warned the world’s largest technology companies they will press ahead with plans to force them to crack open encrypted private communications of their customers, according to several people familiar with the talks.
Silicon Valley executives complain there is a growing gap between the British government’s public stance that it will not “undermine the security of people’s data” using new legislation and the private position of the country’s spies and law-enforcement agencies.
On Tuesday, MPs sitting on the Intelligence and Security Committee said the government’s draft investigatory powers bill was too invasive. The proposed law attempts to replace the communication data bill, dubbed by critics as the “snoopers’ charter” and ditched in the last parliament.
Dominic Grieve, a Conservative MP, said: “We had expected to find universal privacy protections applied consistently throughout . . . Instead, the draft bill adopts a rather piecemeal approach, which lacks clarity and undermines the importance of the safeguards associated with these powers.”
On Thursday, a parliamentary committee scrutinising the bill will issue its findings.
But there is growing anger among Silicon Valley groups over current proposals to update the UK’s spying regime for the digital age.
The companies believe the bill will dangerously weaken the security of private messages and leave millions of customers exposed to attacks by cybercriminals, a claim that the security services reject. They also argue that the bill will encourage other countries, such as China and Russia, to adopt similar legislation.
Messaging products such as Apple’s iMessage and Facebook’s Whatsapp feature “end-to-end encryption”, which makes it hard for third parties to intercept information being transmitted. Tech groups say that it is impossible for the companies themselves to retrieve the content of these messages.
Many in Whitehall have been frustrated by the public declarations of tech companies but in private say that the government is confident it will be able to seal an arrangement to meet its requirements. Resisting the need for UK spies to have access to data, even with a relevant warrant, is a “theological matter” for tech companies, said one senior British intelligence official.
The issue on encryption has grown in importance to Silicon Valley groups trying to regain the trust of customers. These companies have been damaged by revelations from Edward Snowden, the former US National Security Agency contractor turned whistleblower, that US and British security services can access the internal networks of major technology groups.
Government officials said that after a period of hostility following a public rebuke by Robert Hannigan, director of the UK’s GCHQ electronic eavesdropping agency, in November 2014, government and the tech industry were now working productively and closely. According to one senior adviser, a recent visit by Tim Cook, Apple chief executive, to the UK for private meetings with Theresa May, the home secretary, led to the tech chief telling officials he was prepared to do “everything necessary” to accommodate British concerns — although people from Apple who attended the meeting denied Mr Cook made these remarks.
But industry executives have grown concerned following meetings with security services in which GCHQ and MI5, Britain’s domestic intelligence agency, expressed an intention to use clauses in the proposed law that relate to “the removal of electronic protection applied by a relevant operator to any communications or data”.
In private talks, security services have expressed concerns that terrorist groups are using modern messaging tools featuring end-to-end encryption, including services such as Telegram, Kik and Wickr to communicate without fear of being tracked.
“I know [security services] don’t like the fact that a Whatsapp message can be sent between two British people and they can’t get to this,” said one Silicon Valley executive.
A UK official said it was “totally misleading” that the government was asking companies to build “back doors” into their software and hardware. Likewise, the government was not opposed to end-to-end encryption of communications.
What British security agencies want, they said, was for tech companies to use their own resources to crack into their users’ encrypted communications when requested to under legal warrant by the government. Companies such as Apple and Google have “more than enough” computing power to be able to do so, they added.
“The security services are saying: ‘We don’t want to hold the key, we don’t want the back door, we just want you to have it,’ ” said a tech executive familiar with the discussions.
Tech companies argue even this will require a wholesale recoding of communications services, weakening security standards in a way that may be exploited by criminals and state-sponsored hackers.
In a letter to the parliamentary subcommittee in December, Apple wrote: “A key left under the doormat would not just be there for the good guys. The bad guys would find it too.”
Tech companies have also grown exasperated by Ms May’s position on the issue of encryption, which one executive described as “unclear . . . despite the public messaging”.
Whitehall security mandarins remain confident that one of the biggest legal obstacles to companies’ compliance with UK requirements is also likely to be dismantled in the coming months: diplomats are pushing for a new intelligence arrangement with the US government — a “mutual legal assistance treaty” that would provide a special waiver for US-based companies to share data with Britain, where existing US law might prevent it.
“If we have that agreement in place then a lot of our concerns will be put to bed,” said a London-based executive at one large US tech company. “Without it, though, we are back to square one . . . we would just be in an impossible position in Britain.”
Get alerts on Internet privacy when a new story is published