The Center for Cybersecurity Policy & Law submitted comments to the United Kingdom’s open consultation on the updated codes of practice and notice regulations for the Investigatory Powers Act (IPA). 

The IPA is a primary surveillance law in the UK. The IPA establishes a framework for how public authorities, including law enforcement and intelligence agencies, can access and use communications data and interception power. The draft changes to the codes of practice and notice regulations reflect updates included in the Investigatory Powers (Amendment) Act 2024, passed in April 2024. 

As detailed in the Center’s comments, the UK’s draft updates to the codes of practice and notices regulations raise new issues related to security, innovation, and due process. These concerns compound existing challenges present in the predecessor 2017 codes of practice. Ultimately, these proposed rules risk hindering operators from quickly addressing security threats and upgrading out-of-date security features, giving malicious actors an advantage. These challenges are further exacerbated by the Amendment’s expanded territorial scope and secrecy. 

Specific issues with the UK’s draft IPA updates include:

• New Powers to Block Security Updates - The proposed updates to the IPA codes of practice provide sweeping new powers to the Home Office to delay or block any proposal for any security change that could have any impact on an array of state interests. These powers include the ability to issue “Notification Notices,” which require  telecommunications operators to give the Home Office advance notice of security changes, yet which have no minimum timeline for when notice may be required nor clarity regarding what security changes are in scope. The updated IPA also restricts telecommunications operators from making security changes while challenging the validity of Technical Capability Notices that enable the Home Office to halt or modify operators’ security features. We argue that, even if these capabilities improve the Home Office’s ability to investigate, they should not be used to delay the deployment of critical security updates, encryption improvements, and new features to protect users from emerging cyber threats. 
• Encryption Backdoors - Although the Center recognizes the challenges that encrypted digital services can pose for law enforcement, we have long opposed encryption backdoors since they can be misused by governments and exploited by malicious actors. Under the updated codes of practice , the Home Office includes a requirement that operators be able to “remove encryption” from all content on their services, including end-to-end encrypted messages. This effectively gives the Home Office the capability to require telecommunications operators to insert backdoors into encrypted systems, or to weaken their own security to preserve government access to user data. The Center believes this approach to encryption unacceptably weakens the security of the digital ecosystem and puts users at risk. Recent cyberattacks on telecommunications operators demonstrate these risks aren't theoretical. The Center’s comments urge the Home Office to strictly limit any such requirements.
• Global Impact and Legal Conflicts - The Investigatory Powers (Amendment) Act 2024 and its updated codes of practice extends the IPA’s reach far beyond the UK's borders. Now, any service used by people in the UK would fall under these requirements, even if the service provider operates from another country. This creates potential conflicts with other jurisdictions' laws, such as the EU's GDPR and the US CLOUD Act, which have strong data protection requirements. This extraterritorial scope could force companies into an impossible position: either violate laws in other jurisdictions, adopting a less secure standard worldwide, or bifurcate services between the UK and rest of the world, providing UK users with less secure versions. Ultimately, some operators might choose to withdraw from the UK market entirely rather than compromise their security principles.
• Limited Transparency and Due process - Adding to these concerns is the IPA’s lack of transparency. Operators receiving Notification Notices would be legally barred from disclosing their existence without explicit permission from the Home Secretary. This secrecy requirement could make it difficult for users to understand the true security state of their communications services. The updated IPA also provides limited ability for telecommunications operators to challenge the validity of Notification Notices and Technical Capability Notices. The Center’s comments argue that the Home Office should allow operators to publish the number of notices received in aggregate, and that IPA implementation should provide for independent oversight and adversarial judicial proceedings.

While the UK government's desire to maintain investigative capabilities is understandable, the Investigatory Powers (Amendment) Act 2024 and its updated codes of practice could inadvertently undermine the very security they aim to protect. The cybersecurity community's concerns deserve serious consideration as the UK finalizes these changes to ensure they don't create more problems than they solve.