Just like China: UK wants to stop companies from patching vulnerabilities

Updated on: 23 August 2023

Gintaras Radauskas
Senior journalist

security-update — Image by Shutterstock.

The government of the United Kingdom is planning to require companies and researchers to report newly-found security vulnerabilities and leave them unpatched. This is what China is already doing.

The recently unveiled plans to revise the Investigatory Powers Act 2016 (IPA), the primary legislation governing the surveillance of electronic communications in the UK, have caught the eyes of cybersecurity and internet freedom experts.

That’s because the proposed revisions of the IPA – even if they’re cloaked in typical Bureaucratese – smell of huge consequences to cybersecurity professionals.

“Companies must work with us”

The UK government is already allowed by law to demand that companies alter their services in a manner that may affect all users. For instance, end-to-end encryption by WhatsApp or Signal can be removed or undermined worldwide if London decides that such a measure is proportionate to the aim sought.

However, the proposed changes could add another layer to the regulatory landscape – an obligation for companies to notify the government before introducing any technical changes to their systems.

This means that any messaging service planning to introduce an important and much-needed security feature would now have to first let the Home Office know in advance. Device manufacturers, regularly fixing vulnerabilities, would also have to inform the government.

"You can't be globally competitive when you need a UK bureaucrat to OK emergency updates fixing an actively exploited flaw,"
John Scott-Railton

“Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes,” says Ioannis Kouvakas, a senior legal office and assistant general counsel for Privacy International.

The UK government insists that “companies and governments can, and do, work together to ensure the safety of the public on a range of threats, from child sexual exploitation and abuse to terrorism content.”

“But, in order for that cooperation to be effective, and for our investigatory powers to remain effective against a backdrop of rapid technological change, companies must work openly and willingly with us,” the text of the consultation highlights.

Breach of international law?

Kouvakas thinks that the UK would breach international human rights law if it implemented the revisions and thus interfered with the privacy and security of online users.

According to him, these measures, undermining end-to-end encryption and other security tools designed to protect the user, are unlikely to survive the necessity and proportionality test enshrined in Article 8 of the European Convention on Human Rights.

John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto, said on Twitter/X that London’s move is “catastrophically shortsighted.”

“Any tech product that stays will be suspect in the global marketplace. The sector will flee. Goodbye tech investment & jobs. You can't be globally competitive when you need a UK bureaucrat to OK emergency updates fixing an actively exploited flaw,” said Scott-Railton.

“And you can't be trusted when the UK government can secretly stop you from securing your users.”

China has already been engaging in such practices. Every vulnerability discovered by Chinese researchers – who used to dominate marquee hacking competitions just a few years ago – has to be immediately reported to the government.