The government does plan to introduce a ban on end-to-end encryption services in the forthcoming Investigatory Powers Bill, according to a report in today’s Daily Telegraph. Contrary to recent promises by Ministers that the government will not attempt to weaken or undermine encryption, the new obligation would require companies to ensure that they had the capability to decrypt any data they stored. This would particularly impact cloud-based companies like Apple and Facebook, which have won consumer trust for the integrity of their Facetime and WhatsApp communications services by designing them with encryption that protects customer data even from the company itself.
“End-to-end encryption” means, for communications, that the message is encrypted by the sender with a key known only to the intended recipient. Thus Alice can Facetime Bob safe in the knowledge that Apple cannot access the communication, even though Facetime communications need to be sent through servers run by Apple. End-to-end encryption also applies for data storage in the cloud: a business storing its corporate data in a cloud service like Amazon S3 or Google Glacier will encrypt that data with a key that it knows and Amazon or Google does not.
The ability to support end-to-end encryption has been a crucial factor enabling adoption of cloud-based services as a viable alternative to traditional applications run by corporate IT departments. Quite apart from any consumer backlash, prohibiting this capability would give pause to more security-sensitive businesses, that have a duty to protect the integrity of their customer data: if storing data in the cloud means exposing customer data to the cloud-service provider, use of cloud services becomes much riskier. Recent high-profile breaches at TalkTalk, Vodafone and credit-rating agency Experian have greatly raised sensitivity to risk.