UK Technology Regulation: Surveillance should not invade privacy

As the UK election campaign heats up, parties are rallying around the dangerous expansion of online surveillance.

Your messaging apps could soon become much less secure (and some may disappear altogether), and Westminster is to blame. Parliament is in the process of finalizing a number of amendments to the Investigatory Powers Act 2016 – the main piece of legislation requiring the UK Government to police citizens’ electronic communications. While supporters insist the changes are necessary to keep people safe, opponents say they risk significantly infringing on our online privacy. Worse still, tech companies may struggle to comply with the new regulations, which could force them to suspend operations in the UK.

These changes have generated little public or political debate and do not appear to play a role in the current election campaign, with support from both the Conservative government and the opposition Labor Party.

It’s sad. After Brexit, the UK has positioned itself as a technological leader, open to innovation and promising relaxed regulations compared to the European Union. Instead, it threatens to introduce the strictest online surveillance rules in a Western democracy.

The updated Investigative Powers Act would allow the government to order technology companies to delay or stop “material changes,” or product feature updates, that undermine law enforcement’s investigative powers. To ensure no feature goes unnoticed, the Home Office may require technology companies to notify them before making changes to their products.

In practice, such powers would likely be used to block new safeguards that might prevent existing surveillance techniques. This would not only stifle innovation in the technology sector. It would also have disastrous consequences for ordinary people using the products who are not allowed to provide these features, increasing their vulnerability to attacks by malicious actors.

Technology companies also fear conflicts with other regulatory regimes. In the UK, the new requirements of the Investigatory Powers Act could be seen as inconsistent with UK privacy laws, which require companies to “implement appropriate technical and organizational measures (e.g. encryption) to ensure a level of security appropriate to the risk.”

While surveillance and internal conflicts are concerning, an even more important danger will be conflicts with other jurisdictions. If a European Union regulator orders a multinational company to make a “material change”, UK law prohibits it from doing so and telling the EU why it cannot do so. The company would have to decide which jurisdiction to object to, which would almost certainly leave all parties unhappy. Since it would be illegal to even inform other countries about changes imposed by the UK, it would be impossible to come up with a solution that worked for everyone involved. And with Britain insisting that its Home Office’s regressive security lockdowns should apply around the world, this will surely lead to conflicts with friends and allies.

If this all sounds disturbing to you, I agree! This may cause so much concern or difficulty for businesses that they decide the easiest option is to simply stop offering their services in the UK. Some popular apps such as Signal and WhatsApp have already noted that they will leave the UK if they are told not to encrypt their messages. Despite the dangers, Westminster seems content to press on, risking the digital security of millions of Britons in the process.

Heather West is a non-resident CEPA Senior Fellow at ia Senior Director of Cybersecurity and Privacy Services at Venable Law Firm in Washington, DC. He holds degrees in computer science and cognitive science. Focuses on data management, data security, artificial intelligence and privacy in the digital age.

Bandwidth is CEPA’s online journal dedicated to strengthening transatlantic cooperation on technology policy. All opinions are those of the author and do not necessarily reflect the position or views of the institutions they represent or the Center for European Policy Analysis.