Want to have an encrypted phone in the UK? Guess what? That could soon be illegal, with a section of the UK government proposing to make the sale or possession of “bespoke encrypted phones” a criminal offense in its own right.
The measure is reportedly intended to help the country’s law enforcement agencies tackle organized crime and those who facilitate it, but civil liberties experts disagree with the move. Some of them think the proposal is overbroad and poorly defined and could sweep up other forms of secure communication used by the wider population if not adjusted.
The news highlights law enforcement’s continued targeting of the encrypted phone industry, which — as we can see — also includes legislative actions.
“At the moment the government proposal appears to be vague and overly broad. While it states that the provisions ‘will not apply to commercially available mobile phones nor the encrypted messaging apps available on them’ it is difficult to see how it will not result in targeting devices used on a daily [basis] by human rights defenders, protesters and pretty much all of us who want to keep our data secure,” Ioannis Kouvakas, senior legal officer and assistant general counsel at UK-based activism organization Privacy International, told Motherboard.
The Home Office proposes two legislative measures that it says could be used to improve law enforcement’s response to serious and organized crime and is seeking input from all parties — including law enforcement, businesses, lawyers, civil liberties NGOs, and the wider public.
“I welcome your input on these two proposals for possible future legislation to improve the response to the threat of serious and organised crime, to ensure that our law enforcement agencies remain ahead of the curve and to leave organised crime groups with no place to Hide,” a foreword written by the Home Secretary Suella Braverman reads.
The first measure looks to create new criminal offenses on the “making, modifying, supply, offering to supply and possession of articles for use in serious crime.” Among the specified items are “sophisticated encrypted communication devices used to facilitate organised crime.”
This would effectively criminalize owning an encrypted phone, selling one, or making one for use in crime.
Right now, law enforcement relies on workarounds in order to charge people who sell encrypted phones to criminals. In the U.S., prosecutors have turned to RICO, which is traditionally used to target mob bosses, to treat encrypted phone companies as criminal entities in their own right. In the Netherlands, authorities have charged encrypted phone sellers with money laundering offenses, while in other places like the United Arab Emirates – selling encrypted technologies not approved by the state faces penalties.
The Home Office points to companies such as Encrochat, which create “bespoke” devices that have been used by organized criminals in the UK, Europe, South America, and the Middle East. In 2020, French military police hacked into the company’s infrastructure and pushed a malicious update to Encrochat’s tens of thousands of handsets. From that, French police could read Encrochat user messages and then share the intelligence with other agencies, including the UK’s National Crime Agency. Data from the Encrochat hack has led to 2,864 arrests in the UK, the country’s largest investigation against organized crime ever.
According to the Home Office, both the encryption itself and modifications made to the phones are creating “considerable barriers” to law enforcement. Also, some encrypted phone companies physically remove the microphone, camera, and GPS functionality from handsets too and then sell these features as benefits for thousands of dollars with yearly subscriptions.
Given that price, the Home Office says it is “harder to foresee a need for anyone to use them for legitimate, legal reasons.”
However, there are legitimate use cases, like when defense lawyers use these phones to contact their clients.
That, apparently, is not a good enough reason for the Home Office, which would like to criminalize even the people who did not suspect the technology would be used for serious crime — simply because the technology is so “closely associated with a serious crime.” Potential signs could include someone paying for a phone “through means which disguise the identity of the payer” when the buyer pays for the device with cryptocurrency or cash.
The good thing, as far as we can tell, is that the provisions of the proposed law will not apply to “commercially available mobile phones nor the encrypted messaging apps available on them.” But the Home Office does not yet have a settled definition of what encompasses “sophisticated encrypted communication devices,” leaving open the question of what precisely the UK would be prepared to charge a person for possessing or selling.
Still, there is the question of what is too “bespoke” to be legal, according to Riana Pfefferkorn, the research scholar at the Stanford Internet Observatory.
“Many ‘secure phones’ are just heavily modified Android handsets. How much modification is too ‘sophisticated’ to be OK? Is just removing the camera and/or microphone enough? What about relabeling messaging apps with a Calculator icon?” he said.
The consultation period for members of the public to provide feedback to the Home Office ends on March 21st. And we will be watching this story closely, have no doubts about that.