Information Matters: Encryption hits the headlines again - WhatsApp, Brexit and Freedom of Information

News

29.04.2016

Our last edition of Information Matters highlighted the recent announcement by WhatsApp that it had introduced full end-to-end encryption for communications sent between devices, noting that "It will certainly be interesting to see how governments around the world respond to this development…"

It is probably fair to say that we weren't envisaging a response along the lines alleged by The Sun on Thursday, which claimed that "David Cameron's inner circle are sending group texts using the WhatsApp service to keep details of how they are running the EU Remain campaign secret for all time."

The story provoked a furious reaction from many – from Hillsborough victim supporters (the Sun ran the story on its front page instead of the inquiry verdict) to Brexiteers. The head of Vote Leave described the allegations as "potentially criminal" and Tory MP David Davis saying they would "only reinforce the public's view that the Remain campaign is prepared to cheat to win this referendum." The concerns are focused on whether, by using a group chat facility (and notably an encrypted one), Ministers and aides would be keeping material out of the reach of Freedom of Information Act (FOIA) requests and, in the longer term, the historical records.

Aside from the particular sound and fury of the referendum debate, the story provides further evidence of how issues around data security, encryption and information law are increasingly featuring in frontline politics. In the US, there has been the long-running saga of Hillary Clinton's use of a private email server for government business during her time as Secretary of State, as well as the recent battle between Apple and the federal government on encryption and 'back-door' access to the iPhone, which we commented on in February. At the 'low tech' end of the spectrum, concerns over the use of Post-It notes in government (and the impact on freedom of information disclosure) have been raised both in the UK and Australia in recent years. And of course, the UK debate around government surveillance powers has been a vigorous and longstanding one, particularly in the context of the Investigatory Powers Bill (more familiar to non-lawyers as the "Snoopers' Charter").

As regards The Sun's story, it will be interesting to see if there is any particular fallout in terms of the government's view on private encrypted technology (noting Theresa May's ongoing struggle with the issue) and the Freedom of Information Act. A Labour MP has, according to the article, "written to the Information Commissioner to ask that this is urgently investigated and either banned completely or brought under the FoI legislation." But as previously reported in Information Matters, the government has only last month completed its FOI review and announced, essentially, that all was working well and very little needed changing.

Back in 2011 the ICO did provide guidance on the applicability of the legislation to official information held in private email accounts, stating that "Information held in non-work personal email accounts…may be subject to FOIA if it relates to the official business of the public authority. All such information which is held by someone who has a direct, formal connection with the public authority is potentially subject to FOIA regardless of whether it is held in an official or private email account". It also noted that "This is an emerging area of FOIA compliance and so the guidance may be updated in due course", so perhaps the ICO will feel compelled to respond – whether in its guidance or its blog, increasingly its preferred mouthpiece for quickfire comment on the news.

Looking more widely, does any of this matter outside of Whitehall – particularly for organisations not covered by the FOIA? At the very least it seems to indicate that the encryption concept has hit the mainstream, because MPs are hardly known as early adopters of tech. As I noted in my February article, the focus for most businesses is likely to continue to be the need to stay on the right side of data protection legislation in terms of consumer protection: adequate security arrangements are both a legal requirement and, increasingly, a market expectation.

If you require further information on anything covered in this briefing please contact Paul Jones ([email protected]; 020 3375 7254), Owen O'Rorke (owen.o'[email protected]; 020 3375 7348) or your usual contact at the firm on 020 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.