The U.S. and UK governments are expected to sign a treaty in October that will force social media platforms based in either of the countries to “disclose encrypted messages from suspected terrorists, paedophiles and other serious criminals” to police in the other, according to the Times of London.
Police in either country have restricted ability to demand user data from a tech company based in the other. That’s more an issue for the UK than the U.S., in which the biggest platforms are headquartered. The Times reported that UK Home Secretary Priti Patel is slated to soon sign the “data access agreement,” which follows four years of “intense lobbying” by the UK to gain more direct access to data held on U.S. platforms like Facebook and its subsidiary WhatsApp.
According to the paper, Patel said UK authorities’ hands are currently tied by arrangements that keep transnational data-sharing to emergencies and a slow-moving treaty process:
At present the security services are only able to obtain data if there is a need for an “emergency disclosure” due to an imminent threat to life. The police and prosecutors can also request data under the “mutual legal assistance” treaty but the process is highly bureaucratic and can take up to two years.
Under the new treaty, the police, prosecutors and the security services can submit requests for information to a judge, magistrate or “other independent authority”. The process will be overseen by the investigatory powers commissioner.
Under the terms of the proposed arrangement, both governments will agree not to investigate each others’ citizens. The U.S. won’t be able to use data obtained from companies based in the UK in death penalty cases unless UK authorities have explicitly given permission to do so. Bloomberg confirmed news of the data sharing agreement as well.
It’s not clear whether the proposed arrangement actually requires companies to build backdoors into their encrypted products, something that law enforcement and intelligence agencies have been demanding for years, but which has been resisted by tech firms. Security experts generally say that any backdoor could be discovered by malicious third parties and compromise security for all users. It’s also reasonable to suspect the current situation is not hamstringing authorities as much as they state, and this is yet another way for Western law enforcement and intelligence agencies to push that agenda.
As Engadget noted, instead of mandating backdoors, the arrangement may instead create an awkward situation in which companies are forced to turn over data that is “effectively unusable” because it cannot be decrypted.
According to the Times, Patel has warned platforms in the past that they could be enabling crime and terrorism. In one high-profile example, the UK government criticized Facebook for refusing to hand over the account password of a murder suspect on a discretionary basis, instead telling police to pursue the matter through U.S. courts; the information only arrived on the day of the suspect’s trial.
“We oppose government attempts to build backdoors because they would undermine the privacy and security of our users everywhere,” Facebook told Bloomberg. “Government policies like the Cloud Act allow for companies to provide available information when we receive valid legal requests and do not require companies to build back doors.”